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Access rights of users of a computer network with respect to 
data entities are specified by a relational database stored on 
one or more security servers. Application servers on the 
network that provide user access to the data entities generate 
queries to the relational database in order to obtain access 
rights lists of specific users. An access rights cache on each 
application server caches the access rights lists of the users 
that are connected to the respective application server, so 
that user access rights to specific data entities can rapidly be 
determined. Each user-specific access rights list includes a 
series of category identifiers plus a series of access rights 
values. The category identifiers specify categories of data 
entities to which the user has access, and the access rights 
values specify privilege levels of the users with respect to 
the corresponding data entity categories. The privilege lev- 
els are converted into specific access capabilities by appli- 
cation programs running on the application servers. 
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1 

SYSTEM AND METHOD FOR 
CONTROLLING ACCESS TO DATA 
ENTITIES IN A COMPUTER NETWORK 

FIELD OF THE INVENTION 5 

The present invention relates to computer networks in 
which access rights to data entities vary from user-to-user. 
More particularly, the present invention relates to database 
systems for storing access rights information. 

BACKGROUND 10 

The present invention is directed generally to the problem 
of flexibly and efficiently controlling the access rights of a 
large number of users to a large number of objects or other 
data entities. The problem arises, for example, in the context , 5 
of on-line services networks in which end users are given 
differing levels of access to different content entities. These 
content entities represent the services or "content" of the 
network, as seen by end users. The content entities may 
include, for example, bulletin board messages, mail ^ 
messages, data tiles, folders, image files, sound files, mul- 
timedia files, executable files, on-line services, connections 
to other networks, etc. An on-line services network of this 
type is described in copending UJS. Application Set, No. 
08/472.807 having the title ARCHITECTURE FOR SCAL- ^ 
ABLE ON-LINE SERVICES NETWORK, filed Jun. 7, 
1995 (Now VS. Pat No. 5,774.668). 

The need to assign user-specific access rights to different 
content entities arises in a variety of situations. For example, 
it may be desirable to give some users access to certain 30 
"premium" services (such as specially-targeted investment 
newsletters), while limiting others users to some basic set of 
services. Further, it may be desirable to give certain users 
(such as system operators or administrators) the ability to 
modify, rename or delete certain content entities (such as 35 
bulletin board messages), while limiting other users to 
read-only access of such entities. 

Various techniques are known in the art for controlling 
user accesses to objects and other data entities. One 
technique, which is commonly used in file systems, involves 40 
the storage of an access control list (ACL) for each data 
entity to which access is to be controlled. The ACL for a 
given data entity will typically be in the form of a list of the 
users that have access to the data entity, together with the 
access rights of each such user with respect to the data entity. 45 
Each time a user requests access to the entity, the data 
entity's ACL is searched to determine whether the requested 
access is authorized. Another technique involves the storage 
of a capabilities list for each user. The capabilities list for a 
given user will typically include a list of the objects to which 50 
the user has access, together with the operations that can be 
performed by the user on each listed object Both the ACL 
technique and the capabilities list technique are described in 
Silberschatz and Galvin. Operating System Concepts, 
Fourth Edition, Addison-Wesley Publishing Company. 55 
1994. 

With the increasing popularity of on-line services 
networks, and with the increasing need for such networks to 
provide limited user access to the Internet it has become 
increasingly important to be able to provide large numbers 60 
of users with controlled access to large numbers of content 
entities. In the network described in the above-referenced 
application, for example, it is contemplated that the number 
of subscribers may be in the millions, and that the number 
of content entities may be in the tens of thousands. To 65 
provide flexibility, it is also desirable to be able to individu- 
alize the access rights of users. 
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Although prior art access control techniques such as those 
summarized above are suitable in theory for flexibly con- 
trolling user access in large-scale 00-line services networks, 
these techniques tend to produce prohibitively large quan- 
tities of access rights data. For example, in a network having 
millions of users, the access control list technique might 
produce access control lists that have millions of entries. 
These large quantities of access rights consume large 
amounts of memory, and often take unacceptabfy long 
periods of time to search. 

A need thus exists in the art for a technique that is suitable 
for flexibly controlling the access of a large number of users 
to a large number of data entities. A need also exists to be 
able to flexibly and efficiently define new types of access 
operations as new on-line services and new content entities 
are created. 

SUMMARY 

In accordance with the present invention, there is pro- 
vided a system and method for controlling user access to 
data entities in a computer network. The data entities are 
preferably in the form of content objects of an on-line 
services network, although the system and method can be 
used to control access to other types of data entities. 

In a preferred implementation of an on-line services 
network in which the present invention is embodied, the 
content objects are stored on multiple application servers of 
the network, and represent the on-line services and service 
data that is accessible to users of the network. Examples of 
content objects include bulletin board system (BBS) mes- 
sages and folders. Chat conferences, download- and-run 
files, and service applications which implement specific 
on-line services. Users access these content objects by 
connecting to different application servers and correspond- 
ing services in the course of a logon session. 

Service applications running on the application servers 
implement various on-line services, such as Chat MaiL 
BBS. FTM (File Transfer Manager) and Media view. One 
on-line service, referred to as the Directory Service, main- 
tains a directory structure of the content objects that are 
accessible to users, with the content objects forming nodes 
of the tree-like directory structure. By sending properties of 
these nodes to a client application running on the computer 
of an end user, the Directory Service provides the user with 
a hierarchical, navigable view of the content of the network. 

In accordance with the invention, different users of the 
network (including both subscribers and system 
administrators) are given different access rights with respect 
to different content objects, and can thus perform differing 
types of operations with respect to the content objects. For 
example, with respect to a given BBS folder, some users 
may be prevented from seeing or otherwise accessing the 
folder, some may be given read-only access to the contents 
of the folder, some may be given the capability to create new 
messages within the folder, and some may additionally be 
given the capability to delete and/or rename messages within 
the folder. 

In accordance with one feature of the present invention, 
the access rights of the users of the network with respect to 
the various user-accessible content objects are specified by 
access rights data that is stored within an access rights 
database. The access rights database is implemented as a 
relational database on one or more security servers, which 
arc connected to the application servers by a local area 
network. The access rights data is stored within the rela- 
tional database in association with multiple content category 
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identifiers, or "tokens." which identify categories or group- of a corresponding Directory Service node. This token 

Lags of content objects (such as "internal public data," specifies the content category to which the content object 

"Internet public data.** and "18-and-older only data**) for belongs. The service then generates an API (application 

security purposes. The various content categories are pref- program interface) calL which causes the application server 

erably defined by system administrators. The content 5 to its access rights cache for the user's access rights 

categories, rather than the content objects, serve the basic list and if found, to search the access rights list for the token, 

content units to which user access rights may be specified. U ^ uscr * s access ri 8 hls ®* 1101 founi me ^ iniuaUy 

Hie use of content categories eliminates the need to store generates a query of the access rights database (tofiil the 

access rights data on apeV-object basis, and thereby signifi- ^^ fh *? u f r J£?~ tL^l f^flm 

cantly reduces the quantity of access rights data that needs 10 search tte cache for the token. If the token is fomd. the API 

to be stored returns the corresponding access rights value to the service 

ZZ . _ J , , that generated the API call If the token is not f ou n d. the API 

The access ngbts data is preferahly stored wrthm the fetums a ^ i^ting that the user cannot access the 

relational database in further association with multiple user content obiect 

group identifiers, which identify user groups (such as ^ wilh rt fcaturc rf ^ ^ 

< ey JZ?T " aUsysops - ™? . gucsts ) ^, ha * e , ^ ' 5 invention, the relational, access rights database includes 

formed for the purpose of storing access ngbts data. By ^ ^ ^ ^ fc y,^,.^ ^ whic 

storing access rights data pnmanfy on a P^-group ^ ^ ambers (i.e.. user 

baas rather than separately stonng the accc^rigtas of each of each usS group. Each user of the network is a 

wdmdual user, the use <* further reduces the member ' of M lcast ODe ^^p. Md be a member of 

quantity of access nghts data that needs to be stored. *> multjple ^ ^ ^ ta £, e ^ a ^up-token table 

The use of content categories and user groups advanta- which contains, for each user group, a group-based access 

geously allows access rights to be specified for large num- rights list (in the form of a list of tokens and corresponding 

hers of users (typically millions) with respect to large access rights values). Each group-based access rights list 

numbers of content objects (typically thousands) with a high ^ specifies the group-based rights which are provided to all 

degree of granularity. members of the respective group. The third table is an 

In accordance with another feature of the invention, the account-token table, which specifies, on a single-user basis 

service applications running on the various application serv- (for certain users), additional rights mat are to be added to 

ers initiate user-specific queries of the access rights database the group-based rights of the usee Each user-specific entry 

to obtain access rights lists of specific users. With each ^ in the account-token table is preferably in the form of a 

user-specific access rights query, the security server that single token plus a corresponding access rights value, 

receives the query accesses the access rights database and jj, addition to (or in place of) the account-token table, an 

generates an access rights list which fully specifies the exclusion table may optionally be implemented to specify 

access rights of the user. This access rights list is returned to access rights that are to be taken away from the accounts of 

the application server that generated the query, and is stored 35 specific users. As with the account-token table, each user- 

within an access rights cache of the application server. The specific entry in the exclusion table is preferably in the form 

service which initiated the query can then rapidly determine Q f a single token plus a corresponding access rights value, 

the of access rights of the user with respect to specific The exclusion table is useful, for example, for taking away 

content objects (as described below) by accessing its locally- certain privileges of users who misuse certain services, 

stored copy of the user's access rights list Because a user ^ Upon receiving a user-specific access rights query, the 

may be connected simultaneously to multiple application security server initially accesses the group-member table to 

servers of die on-line services network (when, for example. identify all user groups of which the specified user is a 

the user opens multiple services), the access rights list of a me mber. The security server then accesses the group-token 

given user may be stored concurrently within the respective table to obtain the group-based access rights list of each user 

caches of multiple appUcauon servers. 43 group of which the user is a member. The security server 

In accordance another feature of the invention, die access thereby identifies all of the rights the user has by virtue of 
rights list of each user includes pairs of tokens and corre- being a member of one or more user groups. If the user is a 
spending access rights values. Each token in the list iden- member of multiple user groups, the multiple group-based 
tifies a content category to which the user has at least some access rights lists are combined so that die user is given all 
access rights. For example, a token of "5" in the list indicates 50 of the rights associated with all user groups of which the user 
that the user has access to all content objects which fall is a member. The security server then accesses die account- 
within cootent category 5. Each access rights value in the list token table to determine whether any additional (or 
specifies the access rights of the user with respect to a "special") rights (in the form of tokens and corresponding 
corresponding content category. The access rights values are access rights values) have been added to the account of the 
preferably in the form of privilege level masks which 55 user. If one or more entries exist in the account-token table 
specify one or more general privilege levels (such as for the user, these entries are combined with the user's 
"viewer" **user. w "host" "sysop." and "supersysop"). These group-based rights to generate die user's access rights list 
general privilege levels are translated into specific sets of (For embodiments that include an exclusion table, if one or 
access capabilities by the on-line service applications. For more entries exist for the user in the exclusion table, these 
example, the BBS service may give users with sysop-level & entries are subtracted from the user's gram-based rights.) 
privileges the capability to delete and rename BBS mes- The access rights list is men sorted such that the tokens of 
sages. the list (and corresponding access rights values) are placed 

In accordance with another feature of the invention, when in numerically ascending order (to facilitate cache searches 

it becomes necessary for a service (running on an appiica- of the list), and the sorted list is transmitted to the application 

lion server) to determine the access rights of a user with 65 server that generated the query. 

respect to a specific content object, the service initially reads The system and method of the present invention advan- 

rhe object's token, which is preferably stored as a property tageously enabled system administrators to flexibly control 
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user access to different "service areas** in order to achieve a FIG. 9 illustrates a preferred arrangement of the cache of 

variety of objectives. In accordance with a preferred mode FIG. 8. Numerical values in FIG. 9 correspond to the 

of operation, when a new service area (preferably repre- example table entries of FIG. 6. 

seated by one or more nodes of the directory structure) is FIG. 1+ illustrates a sequence of steps taken by an 
created, a security token may be assigned to the new service s application server to determine the access rights of a specific 
area to provide separate security for the area. A particular user ("user X**) with respect to a specific token ("token Y"). 
user. who may be either a subscriber to the network or a Reference niimbers in the drawings have three or more 
system administrator, may then be given sysop-type privi- ^g^. ^ ^ 0 lcast significant digits are reference numbers 
leges (via the above-mentioned account-token table) to the within mc drawing, and the more significant digits indicate 
new service area. By making different users sysops with to ^ figurc ^ the item first appears. For example, 
respect to different service areas, the responsibility ofmoni- reference number 602 refers to an item which is first shown 
toring user-generated content is distributed among many m nG ^ jj^ reference numbers indicate like or function- 
different individuals. In accordance with another preferred ^ smi flaT components, 
mode of operation, content categories and user groups are 

formed so as to create many different communications 15 DETAILED DESCRIPTION OF A PREFERRED 

forums (such as Chat conferences and BBS folders) for EMBODIMENT 
private correspondence among user-specified subgroups of 

user& Described herein is a system and method for controlling 

the access rights of users of an on-line services network to 

BRIEF DESCRIPTION OF THE DRAWINGS 20 content entities such as bulletin board messages, message 

_ . , _ . . tl . folders, chat conferences, service applications, download- 

These and other features of the invention will now be r~ ' ' « ...Tl . m 

described with reference to the drawings of a preferred and-run files and dato files. As will ^recognized by those 

enm^nt^ch^ intended to illustnue and ncT to limit skilled «n the art the system and meftod of the present 

the invention, and in which: " wnt T « ^T^^ 

25 types of data entities to which access is being controlled. For 

FIG. 1 is a high level diagram illustrating the general example, the data entities could be low-levd software and/or 

architecture of an on-line services network which provides hardware resources such as threads, semaphores, memory 

access control in accordance with the present invention. segments and CPUs, ft will further be recognized that the 

FIG. 2 illustrates how the content of the on-line services system and method of the present invention could be 

network of FIG. 1 is preferably arranged within a tree-like ^ employed in any of variety of alternative networking 

directory structure of content nodes. environments, including file systems and operating systems. 

FIG. 3A illustrates an access control matrix which For convenience, the description of the preferred embodi- 

specifies, for each user and for each node of the directory mcn t is broken up into the following 12 sections: 
structure of FIG. Z whether the user can access the node. 

and if so. what the level of access is. The notation "XXXX" 35 1. ARCHITECTURAL OVERVIEW (FIG. 1); 

in FIG. 3A represents a 164>it access rights value. 2. OVERVIEW OF CHAT AND BBS SERVICES; 

FIG. 3B illustrates a preferred basic set of privilege levels. 3. OVERVIEW OF DIRECTORY SERVICE AND SECU- 

and illustrates one possible assignment of access rights bits RTTY (FIG. 2); 

to the privilege levels. 4. ACCESS RIGHTS (FIGS. 3A AND 3B); 

FIG. 4A illustrates how the access control matrix of FIG. 40 5. COMPRESSION BY GROUPING OF OBJECTS (FIGS. 

3A is preferably compressed horizontally by the assignment 4A AND 4B); 

of content nodes to content categories, with each content 6. COMPRESSION BY GROUPING OF USERS 

category identified by a numerical security token. (FIGURES 5A AND 5B); 

FIG. 4B is a token definition table which illustrates a * ACCESS RIGHTS DATABASE (FIG. 6); 

preferred basic set of security tokens (tokens 1-4), and « 8. QUERIES OF ACCESS RIGHTS DATABASE (FIGS. 7 

which illustrates examples of tokens (tokens 100 and 101) ^ A 55J?i _ ^ ^ . ^ m ^ Ax 

which may be addedto accommodate specific data types. 9 - ACCESS RIGHTS CACHE (FIG. 9); 

war c a m..cw~ K«a, o«hk« JLi m^tri, nivtci 1(K GetAccountRights METHOD (FIG. 10); 

FIG. 5A Wu^twte^sco^ "J || ASSIGNMENTS TOKENS AND FORMATION OF 

5A is compressed vertically by the assignment of users to ^ USERGROure;and 

user groups. 12 q^j^ EMBODIMENTS 

FIGS. SB is a group definition table which shows a 

preferred basic set of user groups, and which illustrates one ^ ^ of ^ scctioDS ^ overview of the 

possible assignment of group IDs to user groups. on4inc services network in which the present invention is 

FIG. 6 illustrates a preferred relational database which is 55 cmp i 0 yed. The architecture of this network is further 

used to store access rights data in accordance with the described in the above-referenced, commonly assigned 

present invention. Numerical values in FIG. 6 are examples application having the title M ARCHITECTURE FOR 

of possible table entries. SCALABLE ON-LINE SERVICES NETWORK** (U.S. Ser. 

FIG. 7 illustrates a sequence of steps taken by one of the No. 08/472.807). which is incorporated herein in by refer- 

security servers of FIG. 1 when a database query is made for go C ncc. 

the access rights of a specific user. 1. Architectural Overview (FIG. 1) 

FIG. 8 illustrates the preferred process by which one FIG. 1 is a high level diagram illustrating the general 
application server queries a security server for the access architecture of an on-line services network 100 which pro- 
rights of a specific user and then caches the access rights vides access control in accordance with the present inven- 
data returned by the security server. Also shown in FIG. 8 65 tioo. Multiple client microcomputers 102 are connected to a 
are the basic structures used for flushing user-specific rows host data center 104 by a wide area network (WAN) 106. 
of the cache. The wide area network 106 includes WAN lines 108 which 
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are provided by one or more telecommunications providers. a user attempts to access a content object which is stored by 
and which allow end users (Le.. users of the microcomputers the application server 129). or by one of the Gateways 140 
102) over a wide geographic area to access the host data (when a user attempts to open an on-line service). In 
center 104. The WAN lines 108 may include, for example. accordance with one feature of the present invention, each 
X25 lines. TCP/IP lines, and ISDN (Integrated Service 5 machine 12t. 140 which generates queries of the access 
Digital Network) lines. The host data center 164 provides a rights database 152 implements an access rights cache for 
variety of information-related and communications-related locally storing user-specific access rights information 
on-line services to end users. obtained from the database 152. In other embodiments, all 
The host data center 104 comprises a plurality of appli- access rights queries may be generated by a single group or 
cation servers 120 connected to one or more high speed local to type of machine (eg., the Gateways 140. or a group of logon 
area networks (LAN) 122. The application servers 120 are servers), and these machines may be configured to pass the 
preferably Pentium-class (or better) microcomputers which user-specific access rights information read from the data- 
are scalable to at least four central processing units (CPUS). base 152 to the various application servers 120 to which the 
and which run the Microsoft Windows NT operating system user connects. 

available from Microsoft Corporation. Each application 15 Various other types of servers and other microcomputers 

server 120 typically has at least 128 MB of random-access are connected to the LAN 122 but are not shown in FIG. 1. 

memory (RAM) and at least 4 GB of disk space. For example, billing and logon servers are provided to 

The application servers 120 are arranged into service record billable events and to handle user logoo. respectively, 

groups (also referred to as "AppGroups") that correspond to Further. Arbiter microcomputers are provided to perform 

specific on-line services. Each service group runs a particu- 20 transaction replication services for certain service groups, 

lar service and provides access to a corresponding data set allowing the application servers of such service groups to 

Three example service groups are shown in FIG- 1: a CHAT store identical copies of the same service content data, 

service group 130. a bulletin board system (BBS) service It is envisioned that the host data center 104 may have on 

group 132. and a DirSrv service group 134. Additional the order of one hundred Gateways 140. and between several 

service groups (not shown) are provided to implement other 25 hundred and several thousand application servers 120. A 

on-line services, including Mediaview (a service which host data center of mis type will be able to handle millions 

provides multimedia titles to end users). Mail (an email of subscribers and tens of thousands of simultaneous user 

service). FTM (a service for uploading and downloading logon sessions. Advantageously, the processing capacity of 

files) and Component Manager (a service which allows users the host data center 104 can easily be increased (to support 

to update client software when new releases become 30 new services, and to support increases in the ■umber of 

available). Other on-line services may include, for example. subscribers) by connecting additional Gateways 140 and 

an interactive games service, a file transfer service, a application servers 120 to the LAN 122. and by adding 

weather service, and a World Wide Web browsing service, A additional local area networks. Further, additional host data 

service group can have as few as one application server 120. centers 104 can be provided at different geographical loca- 

System administrators can adjust the number of application 35 tions to accommodate a wide geographic distribution of 

servers 120 in a given service group to accommodate the subscribers. 

current usage level of the corresponding service. "Users" of the on-line services network 100 include both 

Also connected to the LAN 122 are multiple Gateway "end users" (typically subscribers) who log onto the system 

microcomputers 140 (hereinafter "Gateways") which link from client micrccomputers 102 via the WAN 106. and 

incoming calls from end users to the application servers 120. 40 "internal" users (typically system administrators) who 

The Gateways are preferably Pentium-class microcomputers access the system from computers that are connected 

which are scalable to at least four central processing units directly to the LAN 122. Each user of the network, whether 

(CPUs), and which run the Microsoft Windows NT operat- an end user or an internal user, is identified by a unique 

ing system, Each Gateway 140 typically has at least 64 MB 32-bit account number. As described below, different users 

of RAM and at least 2 GB of disk space, and is capable of 45 have different access privileges with respect to various data 

supporting approximately 1000 simultaneous user connec- entities on the network. 

tions. The on-line services offered to end-users of the network 

Also connected to the LAN 122 are multiple security 100 are in the form of client-server applications programs 

servers 150. The security servers 150 are preferably (or "service applications**). Each service application 

Pentium-dass microcomputers which are scalable to at least so includes a server portion that runs on one or more of the 

four central processing units (CPUs), and which run the application servers 120. and at least one corresponding 

Microsoft Windows NT operating system. Each security client portion (also referred to as a "client application") that 

server 150 maintains a relational database 152 (Le.. a runs on a rrucrcnxMnputer 102 of an end user. In the presently 

database in which the contents are organized as a set of two preferred embodiment the client applications are in the form 

or more interrelated tables) which contains the access rights 55 of Microsoft Windows 95 components (including dynamic 

data for all users of the network 100. In the preferred link libraries, other execu tables, and data files), and the 

embodiment, the security servers 150 are replicated, mean- server portions are implemented primarily as dynamic link 

ing that they store and provide access to the same access libraries running under the Microsoft Windows NT Operat- 

rights data. In other embodiments . the access rights data may ing System. 

be partitioned across the security servers 150. 60 With reference to FIG. 1. the server portions of the various 

Each security server 150 runs Structured Query Language on-line services arc implemented on the application servers 

(SQL) code to provide access to its respective access rights 120 of the respective service groups 130. 132. 134. Each 

database 152. SQL is a programming language standardized application server 120 of a given service group separately 

by the International Standards Organization (ISO) for runs the same server application. For example, each appti- 

defining. updating and querying relational databases. A 65 cation server 120 of the Chat service group 130 runs 

query to the access rights database 152 can emanate either CHAT. DLL, which is a dynamic link library that implements 

from one of the application servers 120 (when, for example. the server portion of the Chat service. Similarly, each 



5 ? 94K947 

9 10 

application server 12# of the BBS service group 132 runs a transaction replication service A preferred embodiment of 

BBS dynamic link library, and each application server 120 the Arbiter service is described in commonly assigned U.S. 
of the DirSrv service group 134 runs a DirSrv dynamic link application Ser. No. 08/485.493, filed Jun. 7. 1995. having 

library. Although each application server 12t is shown in the title TRANSACTION REPLICATION SYSTEM AND 

FIG. las being allocated to a single service group, a single 5 METHOD FOR SUPPORTING REPLICATED 

application server can simultaneously run multiple service TRANSACTION- BASH) SERVICES, 

applications, and thus be allocated to multiple service With reference to FIG. 1. one of the application servers 

groups. For example, a single application server 12# could ™ 1™*^^ 

run both the Chat and BBS dynamic link libraries and thus ?™ Intort feed server 12t. The BBS Internet feed server 

be allocated to both the Chat and BBS service groups 130. io 120 reads /1 ? tem J :t .^group ™> l»* 

^ F messages (by submitting update transactions to the Arbiter 

~" . . _ , ... service) within the BBS service group 132. thereby provid- 

Dunng a typical logon session, a chenl : imcroconiputer - uscrs with to ^ ne wigroup messages. The BBS 

102 will maintain a communications link with a single Internet feed server 120 is also used to post messages to the 

Gateway 140. but may access multiple on-line services (and internet 

thus communicate with multiple application servers 120). To 15 rooms ^ BBS messages are two types of content 

initially access a service, an "open" request is generated on objects that may be accessed by users. BBS folders (objects 

the client microcomputer 102 and sent to the Gateway 140 which contain BBS messages and/or other BBS folders) are 

that is handling the logon session. The Gateway 140 then another type of content object that may be accessed, 

selects a single application server 120 (of the ap pr o pr i ate The ability to access a given content object, and the access 

service group) to handle (he service session, and opens a 20 rights of the user with respect to that object, may vary from 

pipe (or other type of connection) over the LAN 122 to the user to user. Using a Chat room object as an example, some 

selected application server 120. users may be "participants" who can participate in the 

Throughout the service session, the Gateway 140 routes conference, while other users may be "viewers'* who can 

messages between the client microcomputer 102 and the only view the text of the conversation. One user may further 

application server 120 as the client and server portions of the 25 be designated as the "host" of the conversation. The host 

service application communicate. The Gateway 140 also normally has the responsibility of moderating the 

performs protocol translation between the protocol of the conversation, and has the ability to modify the access rights 

WAN 106 and the protocol of the LAN 122. To terminate the of members of the conversation. For example, if a user fails 

service session, a "close" request is generated at die client to comply with the rules of the Chat conference, the host can 

microcomputer 102 and sent to the Gateway 140. and the 30 set that user's privilege level to "viewer" preventing the 

Gateway 140 closes the pipe to the application server 120 user from further participating in the conversation. Access 

that is handling the service session. rights of users are preferably controlled (typically by system 

The architecture advantageously supports multiple simul- operators or administrators) by updating entries in the access 

taneous service sessions per user. Thus, a user may be rights database 152. as described in detail in the following 

connected to multiple applications savers (via the Gateway 35 sections. 

140 handling die logon session) simultaneously. As with Chat objects, the access rights of users with 

2. Overview of Chat and BBS Services respect to different BBS objects (e.g.. BBS folders and 

Two specific on-line services. Chat and BBS. will now be messages) may vary from user to user. For example, certain 

briefly described. This description will illustrate some of the BBS fodders may be designated as "public." meaning that 

specific types of content entities (referred to herein as 40 they can generally be accessed by all users, while other BBS 

"content objects." or simply "objects") which may be folders may be designated as "private." meaning that access 

accessed by users, and will also illustrate some of the to such fodders is restricted to some subgroup of users. A 

different types of access rights users may be given with private folder may be used, for example, to permit private 

respect to such content objects. personal correspondence between a user-specified group of 

The Chat service is an interactive communications service 45 family and friends, 

which allows users to have real time conversations with The specific types of operations allowed with respect to a 

other users on specific topics. Chat conversations or "con- BBS object may vary from user to user. For example, some 

fereoces" are organized as "Chat rooms** which may be users may have read-only access within a BBS folder, in 

entered or exited by end users to join or leave the come which case they will not be able to repty to an existing BBS 

spending conferences. For example, an end user may enter 50 message in that folder and will not be able add a new 

a "sports** Chat room to join an interactive conversation on message to the folder. Other users may be able to add new 

sports-related topics. Participants in a Chat conference can BBS messages to the folder and/or reply to existing 

type in textual messages which will be displayed on the messages, but not delete existing messages, 

monitors of other participants. Voice and/or video capabili- Other users, generally referred to as "sysops" (system 

ties may additionally be provided. 55 operators), may be given the ability to delete existing 

The BBS service allows users to post and/or review messages from the folder. Different end users can be des- 

mes sages. Users can thereby ask and answer questions, or ignated by the on-line services network provider (i.e.. the 

otherwise conduct non-real-time conversations with other owner or operator of the host data center 104) as the sysop 

users. Although shown as a single BBS service group 132 in for a particular folder or group of folders. Thus, for example. 

FIG. 1. multiple BBS service groups may be formed, with 60 a particular end user may be placed in charge of a football 

each corresponding, for example, to a particular topical area. BBS folder, while another end user may be placed in charge 

In the preferred implementation, replicated copies of all of a baseball BBS folder. This advantageously allows the 

BBS content (e.g., BBS messages and folders) are stored on on-line services network provider to distribute the respon- 

each application server 120 of the BBS service group 132. sibility of monitoring BBS content among a large number of 

This allows the BBS application servers 120 to indepeo- 65 end users. 

dendy process message read requests from end users. Rep- Users at the system administrator level may be given the 

lication of BBS content is accomplished using the Arbiter additional capability of creating new BBS folders, deleting 
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existing BBS folders, and/or changing the access rights of object As further described below, (he Directory Service 

users with respect to BBS folders. only "shows" those content objects to which the particular 

The foregoing examples illustrate some of the specific user has access. Thus, the user is provided with a filtered 

types of access privilege levels which may be assigned to view of the actual content of the network 100. 

users with respect to certain object types, and illustrate some 5 With reference to FIG. 1. the Directory Service 

of the reasons for *<*igning different levels of access rights. (abbreviated as "DS" in FIG. 1) includes two separate 

As additionally illustrated by the foregoing, it is often services, the DirSrv service (implemented on the DirSrv 

desirable to define different (and often unique) types of service group 134) and the BBS service (implemented on the 

accesses for different on-line services and object types. For BBS service group 112). The DirSrv service is the "root" of 

example, for the Chat service, it is desirable to have the to the Directory Service, and provides users with a 

above-described viewer, participant and moderator type hierarchical, navigable view of all non-BBS content objects, 

access privileges, even though the operations corresponding These non-BBS content objects are arranged within the 

to these privileges are generally unique to the Chat service. DirSrv directory structure 202. The BBS service acts as its 

h will also be recognized that as new on-line services and own directory service provider, and provides users with a 

new object types are added to the network 100, it may be 15 navigable, hierarchical view of all BBS content objects. The 

necessary or desirable to define new types of access opera- BBS content objects are arranged within the BBS directory 

lions. To facilitate the addition of new on-line services and structure 2*4. A seamless interface between the DirSrv and 

object types, the network lOt provides far a specified set of BBS services allows users to transparently traverse between 

privilege levels (such as "viewer," "observer." "user.** the two directory structures 2#2. 264. so that the Directory 

"host." "sysop,** and "sysop manager") which can be 20 Service appears as a single service to end users, and so that 

assigned to users, and it is left to the on-line services the two directory structures 202. 204 appear as a single 

themselves (Le.. to the authors of the service applications) to tree-like directory structure. 

define the specific access capabilities that go along with each The DirSrv and BBS services are both "directory service 
user privilege level For example, for a user that has been providers." meaning that they act as the Directory Service 
assigned the general privilege level of "user." the Chat 25 with respect to corresponding portions of the network con- 
service may give the user "participant" level access to all tent. Additional directory service providers can be added to 
public Chat rooms, while the BBS service may allow the the Directory Service as the content of the network 100 
user to read, generate and reply to BBS messages within all grows. For example, an investment service that provides 
public BBS folders. This feature of the present invention is data on stocks and mutual funds could be added which acts 
further described below under the heading ACCESS 30 as a directory service provider with respect to its own 
RIGHTS. content. 

3. Overview of Directory Service and Security (FIG. 2) FIG. 2 illustrates the general organization of the content 

The following is an overview of the Directory Service. objects within the directory structures 202 and 204. as 

which is an on-line service that allows users to explore the maintained by the Directory Service. Each content object is 

content (i.e.. the on-line services and associated data 35 represented as a corresponding node of one of the directory 

entities) of the network 100. The Directory Service is structures 202. 204. The first directory structure 202 exists 

described in detail in a concurrently filed U.S. application within the DirSrv namespace 212. and represents the content 

having the title DIRECTORY SERVICE FOR A COM- that is accessible through the DirSrv service. The second 

PUTER NETWORK, which is incorporated herein by ref- hierarchical structure 204 exists within the BBS namespace 

erence. Included in this overview is a brief description of 40 214. and represents the content mat is accessible through the 

how the Directory Service and other services determine the BBS service. Each structure 202. 204 may have thousands of 

access rights of users with respect to specific content objects. nodes, and could thus represent thousands of content 

The Directory Service provides users with a hierarchical objects. The nodes can generally be thought of as "service 

view of the various content objects available on the network areas" that can be entered by users. Links between nodes 

100. As further described below, the content objects are 45 represent paths that can be taken by users in traversing the 

arranged within hierarchical directory structures 202, 204 hierarchical structures 202. 204 from one service area to 

(FIG. 2) that are maintained by the Directory Service, with another. The specific nodes and links shown in FIG. 2 are 

the content of the content objects represented as nodes of provided to show the general manner in which nodes are 

these structures 202. 204. arranged, and do not represent an existing directory struc- 

The content of the network 100 is displayed to the end 50 ture. 

user via a network shell program which runs on the client The hierarchical directory structures 202. 204 are prefer- 

microcomputers 102 of end users. The network shell is the ably in the form of directed acyclic graphs. As is well known 

primary client of die Directory Service. A preferred imple- in the art of file systems, an acyclic graph structure is more 

mentation of the network shell is described in a commonly- flexible man a tree structure, since an acyclic graph allows 

assigned U.S. application having the title ON-LINE NET- ss a node to have multiple parent nodes. (A "parent" of a given 

WORK ACCESS SYSTEM, filed Jul. 17. 1995. In the node is any node that is both (1) directly connected to the 

preferred embodiment the network shell is an integral part given node, and (2) at a higher level in the hierarchy than the 

of the Microsoft Windows 95 Explorer program (hereinafter given node. Similarly, a "child** is any node that is both (1) 

"the Explorer**) which is described in Inside Windows95. directly connected to the given node, and (2) at a lower level 

Microsoft Press. 1994. 60 than the given node.) This characteristic of the directory 

A graphical user interface of the Explorer displays the structures 202 and 204 is illustrated by nodes 10 and 17. 

content objects as a logical extension of the user's hard each of which has two parent nodes. To simplify the fol- 

drive, with each object shown as an icon and/or a textual lowing description, the term 'Directory Service structure** 

name. Using the Explorer, users can browse the content of will be used to refer collectively to the DirSrv and BBS 

the network 100. and can access the various content objects 65 directory structures 202 and 204. 

(to. for example, enter a specific on-line service). To access There are three different types of nodes within the Direc- 

a content object, the user double dicks on the icon for mat tory Service structure: leaves, folders and junction points. A 
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set of flags stored in association with each node identifies the 
node as one of these three types. Leaves (or "leaf nodes'*) are 
nodes that both ( 1 ) cannot have children and (2) do not serve 
as junction points. The leaf nodes in FIG. 2 are nodes 7-11. 
If and 17 (assuming that these nodes cannot have children). 
Leaves normally represent the actual services within net- 
work 1*0. Examples of leaves include Chat rooms, BBS 
messages. Media view titles and download- and-run files. 
When the user clicks on a leaf node (by double clicking on 
the corresponding icon from a window of the Explorer 
client), the corresponding service-related action is taken. For 
example, if the user double clicks on a Chat room icon, the 
Chat service is opened and the user is added to the corre- 
sponding Chat conference. When the user double clicks on 
a leaf node for a download- and-run file, the file is down- 
loaded to the user's computer 102 for execution. 

Folders are nodes that both (1) can have children and (2) 
do not serve as junction points. The folder nodes in FIG. 2 
are nodes #-6 and 13-15. Folder nodes normally represent 
collections of other content objects, and are used to organize 
the content of the network. For example, a folder node may 
correspond to a BBS folder on a particular topic, or may 
represent a collection of BBS folders and Chat rooms on a 
related topic Folder nodes are also used to generally arrange 
content objects according to language. For example, node 1 
may be an engtish folder containing content objects that are 
primarily in englisb. and node 2 may be a Spanish folder 
containing content objects that are primarily in Spanish. 
Folder nodes are generally analogous to the directories of a 
file system. 

The third type of node is a junction point. Junction point 
nodes serve as proxies for nodes in other Directory Service 
namespaces, and are used to allow the user to seamlessly 
traverse between namespaces. The only junction point 
shown in Figure is node 12, which serves as a proxy for BBS 
folder node 14 (referred to as the "target node"). When, for 
example, the user double clicks on node 12. the Explorer 
launches a BBS navigator and shows the user the children of 
node 14. 

The Dirsrv and BBS services store their respective nodes 
as lists of node properties, as illustratively shown for node 
8 in FIG. 2. The DirSrv and BBS service also keep track of 
the locations of the nodes within their respective directory 
structures 292. 204. As pictorially illustrated in FIG. 1. the 
full DirSrv directory structure 202 (Le.. the nodes within the 
DirSrv namespace 212 plus the arrangement of the nodes 
within the directed acyclic graph) is stored on each of the 
application servers 120 of the DtrSrv service group 134. 
Similarly, the full BBS directory structure 204 is stored on 
- each of the application servers 120 of the BBS service group 
132. Depending upon the object type, certain of the node 
properties stored by the Directory Service may be service- 
specific. For example. BBS message nodes preferably 
include a BBS-specific "attachments flag** which indicates 
whether a file attachment is included with the message. 
Other properties are general in nature, and are shared by 
most or all of the Directory Service nodes. The following is 
a brief description of some of these general properties. 
Name. This is a human readable name which may be 
displayed by the Explorer along with the corresponding 
icon. For example, a folder node could have the name 
"Health & Rtness. w and could have children folder 
nodes with names of "Health & Fitness Char and 
"Heath & Fitness BBS." (For junction point nodes, the 
name of the target node is used). 
Directory Entry ID (DEID). This is an 8-byte number 
which uniquely identifies a node within its respective 
Directory Service namespace. Every node has a DEID. 
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Application ID (APP1D). This is a 4-byte number which 
is stored as a property of every node. For leaf nodes, 
this number identifies the service application associated 
with the node, and is used by the Explorer to launch the 
5 service application when the user double-clicks on the 
node. For non-leaf nodes, the APFED indicates the 
namespace (DirSrv or BBS) in which the node resides. 
Service Group ID. (Also referred to as the data set ID.) 
This is a 2 -byte number which identifies the service 
10 group (132 or 134) of the Directory Service provider. 
Icon ID. This is an identifier of the icon which is to be 
displayed by the Explorer as a representation of the 
node. Icon bitmaps are stored by the Directory Service, 
and are sent over die network upon request by the 
15 Explorer. 

Flags. The flags indicate whether the node is a folder, leaf. 

or junction point 
Security Token. This is a 4-byte value which identifies a 
content category to which the node has been assigned 
20 for security (Le.. access rights) purposes. When a user 
attempts to access a node, the node's security token and 
the user's 32-bit account number are used to determine 
the user's access rights with respect to the node. (For 
junction point nodes, the security token of the target 
25 node is used). Security tokens are described in detail 
below under the heading COMPRESSION BY 
GROUPING OF OBJECTS. 
Although the terms "node" and "content object 1 * will be 
used somewhat interchangeably throughout the following 
30 description, it should be understood that each node is simply 
a list of content object properties stored by the Directory 
Service. In the case of a leaf node, this list of properties will 
typically correspond to a content object which is stored on 
some other application server 120. For a Chat room object 
35 which resides on a Chat server 120. for example, the 
corresponding node will be a list of the properties for the 
Chat room, and will be stored on each of the DirSrv servers 
120. For folder nodes which simply represent groupings of 
other nodes, the folder node and folder content object are 
40 essentially the same entity. 

Nodes of the Directory Service structure are preferably 
added, deleted and modified using "Sysop Tools." which is 
a client application of the Directory Service. As will be 
appreciated by those skilled in the art various conventional 
45 editing tools can be used for this purpose. To create a node 
using Sysop Tools, the user must specify at least the DEID. 
APFTD and the service group ID of the node. The Sysop 
Tools client is further described in a commonly-assigned, 
concurrently filed U.S. application having the title SYSTEM 
50 AND METHOD FOR EDITING CONTENT IN AN 
ON-LINE NETWORK. 

The Directory Service operates generally as follows. In 
response to requests from the Explorer, the Directory Ser- 
vice sends node properties over the WAN 106 to the client 
55 microcomputer 102. allowing the Explorer to reconstruct 
user-selected portions of the Directory Service structure on 
the user's screen, and/or allowing the Explorer to display 
user-specified object properties (such as the number of users 
in a Chat room) to the end user. To avoid unnecessary 
60 transfers of information over the WAN 106. the Directory 
Service only returns those properties that are specifically 
requested by the Explorer. When the user double dicks on 
a folder node, the Explorer uses a GetChildren API 
(application program interface) to generate a request to the 
65 Directory Service for the children of the folder node, speci- 
fying as parameters of the API the DEID of the folder node 
plus the names of the specific properties needed to display 
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the children of the folder node. When the user double clicks of the network 10* (in addition to the Directory Service) are 

on a leaf node, the Explorer initiates a service session with preferably configured to call the GetAccountRights API For 

the corresponding service, using the leaf node's AFPID to example, the Chat service calls GetAccountRights to deter- 

identify the appropriate service application. mine the rights of users with respect to Chat rooms, the Mail 

Before "showing" a node to the end user (by returning the s service calls GetAccountRights to determine whether users 

requested properties of the node to the Explorer), the Direc- are authorized to send mail to specific distribution lists, and 

tory Service uses a GetAccountRights API to determine the the FTM service calls GetAccountRights before downioad- 

access rights of the user with respect to the node (or ing a file requested by a user. To provide an extra "layer" of 

equivaleutly. with respect to the corresponding content protection, the Gateways 140 are preferably configured to 

object), and to thereby determine whether the user is autho- to call GetAccountRights whenever a user attempts to open a 

rized to access the node. This access rights information is pipe to a service (as described below), 
stored within the access rights database 152 on each security Although the architecture of the preferred embodiment 

server 150. If the user is not authorized to access the node. allows a wide variety of different services and machines to 

the Directory Service does not return the properties of the generate queries of the access rights database 152. it will be 

node, and the node is not displayed to the user. By way of 15 recognized mat various alternatives are possible. For 

example, suppose mat a user double clicks on the icon example, the network 100 may be configured such that the 

corresponding to node 6 in FIG. 2. This will cause the Directory Service is the only entity that generates queries of 

Explorer to send a Get Children request to the Directory the access rights database 152. and all access requests may 

Service. As parameters of the GetChildren request, the then be routed through the Directory Service. Alternatively. 

Explorer specifies the DHD of node 6. and specifics the 20 the Gateways 14t or logon servers (not shown) could be 

properties (typically the name. DHD. APPHX flags and icon configured to generate a query of the access rights database 

ID) to be returned for each child node. If. for example, the 152 when a user initially logs onto the network, and the 

user is authorized to access node 7. but is not authorized to user-specific access rights list obtained from this query may 

access node 8. the Directory Service will return only the then be forwarded to each application server 120 to which 

properties of node 7. Thus, node 8 will not appear in the 25 the user connects. Both of these alternative approaches 

Explorer window on the user's screen. reduce the frequency of queries of the access rights database 

This feature of the invention advantageously allows cer- 152. 
tain nodes and content objects to be completely hidden from 4. Access Rights (FIGS. 3A and 3B) 
certain classes of users. For example, this feature may be FIG. 3A illustrates an access control matrix 300 which 
used to hide from the view of regular users a BBS folder 30 represents the access rights of users of the on-line services 
(and its contents) that has been created for private corre- network 100. Hie information contained within the access 
spondence between members of a family, so mat the only control matrix 300 is stored in the access rights database 152 
users who can see die folder (via the Explorer or other client in a highly compressed form. Accordingly, the access con- 
application) are the designated family members. Because trol matrix 300 represents the information stored within the 
only those authorized to access each node can see the node. 35 access rights database 152. but does not represent the actual 
a high degree of security is provided against unauthorized organization of this information within the database. The 
accesses. preferred methods used for compressing the access control 

To determine the user's access rights with respect to the matrix 300. and the preferred implementation of the data- 
node, the Directory Service initially reads the 32-bit security base 152, are described in the following sections. As 
token associated with the node (which, as described above. 40 described below, the access control matrix 300 (and thus the 
is stored as a node property). The Directory Service then access rights database 152) specifies, for each user of the 
generates a GetAccountRights call, specifying as parameters network, bom (1) the content nodes that can be seen by the 
of the call the node's security token and the user's 32-bit user via the Directory Service, and (2) the access operations 
accouat number. The GetAccountRights API returns either a that can be performed by the user with respect to each 
16-bit access rights value which indicates the user's access 45 content node. 

rights with respect to the node, or else returns a code Each row of the access control matrix 300 corresponds to 

indicating that the user is not authorized to access die node. a respective user of the network 100. These users include 

The GetAccountRights API includes code which generates various levels of subscribers and system administrators. The 

queries to the access rights databases 152 to obtain user- number of users will typically be in the millions. Thus, the 

specific access rights lists, and also includes code which 50 access control matrix 300 will typically have millions of 

implements an access rights cache for locally storing these rows. Each column of the access control matrix 300 corre- 

user-specific lists. The GetAccountRights API and a pre- sponds to a respective node of the Directory Service strue- 

f erred implementation of the access rights cache are ture of FIG. 2. The total number of nodes in the Directory 

described in detail in sections 8-10 below. Service structure will typically be in the tens of thousands. 

In the preferred implementation of the network 100. 55 Each entry in the access control matrix 300 is in the form 

various forms of "direct navigation" are possible, wherein of a 16-bit access rights value (represented by the symbol 

the user can access content objects without initially placing "XXXX" in the figures), and specifies die access rights of a 

a Directory Service call. Using a "shortcuts" feature, for given user at a given node (or equivaleutly. specifies die 

example, a user can create an icon mat allows the user to rights of a given user with respect to a given content object), 

subsequently return to a service area (such as a Chat room) 60 For example, the entry for user 1 at node 1 specifies the 

without navigating the Directory Service structure. (The access rights user 1 has with respect to the content object 

shortcuts feature is described in the above-referenced appli- corresponding to node 1 of the Directory Service structure, 

ca tion o f the title ON-LINE NETWORK ACCESS An entry of 0000H (in which **H" indicates the number is in 

SYSTEM.) The Directory Service thus cannot be relied hexadecimal) in the access control matrix 300 specifies that 

upon for ensuring the security of all content objects. 65 the user has no rights at the node, or equrvalently. that the 

To ensure that the access rights of users are checked when user cannot access the corresponding content object. The 

direct navigation techniques are used, various other entities Directory Service will not show such a node to the user. 
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Thus, far example, if user 2 has an entry of O0O0H far node sysop manager for a given node may be given the 

L user 2 will not see the icon for node 1 when navigating the ability to change any of the properties (e.g.. name, icon 

Directory Service structure via the Explorer. (As described HX etc) for that node. 

below, entries of 0000OH are not actually stored.) Supersysop. The user has the highest level of access 

In the preferred embodiment the access rights values of 5 authority provided by the service, 
the access control matrix 300 are generally in the form of As indicated by the foregoing, the privilege level defini- 
privilege level masks, with each defined bit corresponding to tions are generally open ended, giving the various services 
a respective user privilege level FIG. 36 illustrates a flexibility in assigning specific access capabilities to users, 
preferred haste set of user privilege levels, and the corre- This is particularly due for the privilege levels of "user.** 
spondence between these privilege levels and the bits of the to "host" and "sysop." which may be translated into signifi- 
access rights values. With reference to FIG. 3B. bits 0-6 cantfy different access capabilities by different services, 
correspond respectively to the user privilege levels of Advantageously, the privilege levels are not limited to 
viewer, observer, user, host sysop manager, sysop and predefined accesses capabilities such as read-only, read/ 
supersysop. and bits 7-15 are reserved for future definition. write, modify, append and delete, but rather are flexible 
Thus, for example, an access rights value of 0024 hexaded- is enough to include new types of access capabilities that may 
mal (bits 2 and 5 set to one; and all others clear) indicates later be defined. Thus, as new types of access capabilities are 
user privilege levels of "sysop" and "user." defined (when, for example, new services and new object 
Although this approach uses a hierarchy of privilege types are created), these new access capabilities can be 
levels, various non-hierarchical approaches are possible- For implemented using the existing user privilege levels. In 
example, the access rights values may directly specify the 20 other embodiments of the invention, the access rights values 
access operations that can be performed by the users, with. may correspond uniquely to predefined sets of access opera- 
tor example, bit 0 specifying whether the user has read-only tions. 

access, bit 1 specifying whether the user has read/write By way of example, suppose that a voice-based Chat 

access, and so on. service is added which assigns a "voice override" priority 

In the preferred embodiment, the general privilege levels 23 level of either low. medium or high to each member of a 

of FIG. 3B are transformed into specific access capabilities given voice Chat conference, to thereby give certain users a 

by the various on-line services (such as riiat 1 BBS. and the greater degree of control over the conversation than others. 

Directory Service). For example, the Chat service may give To implement these three newly-defined access capabilities 

moderator-type access capabilities to users that have the without defining new user privilege levels, bits 2. 3 and 5 in 

privilege level of "host" The access capabilities correspond- 30 FIG. 3B (corresponding to user privilege levels of user, host 

ing to a given privilege level may vary from on-line service and sysop) could be used, respectively, to specify voice 

to on-line service. Generally, however, the access capabili- override priority levels of low. medium and high, 

ties within a given on-line service will be consistent with the With further reference to FIG. 3B. additional user privi- 

following privilege-level "definitions": lege levels can be defined as needed (using bits 7-15) to 

Viewer. The user can see the existence of the node, but 35 achieve higher degrees of privilege-level granularity. Also, 

cannot open or access the corresponding service. The services can be configured to give special meaning to certain 

user may be given the ability to subscribe to the service combinations of privilege level bits. For example, an on-line 

(to obtain a higher privilege level with respect to the service could give special access capabilities to users that 

service), and may be able to view certain (such as a have bom the "host" and "sysop* bits set 

textual description) properties of the node. (This is the 40 To simplify the description which follows, the term 

lowest level of access rights a user can have with "access rights" will hereinafter be used to refer generally to 

respect to a node. A user with no access rights with mc access ngfrts values, and to the privilege levels and/or 

respect to a node cannot view the name, icon, or any access capabilities associated with these access rights val- 

other feature of the node). uc ^ 
Observer. The user can see the existence of the node and 

can open the service, but cannot actively participate in , _ „, . , 

the service. (For example, an observer fee a^BSfower *V wiU * CXtran * 

node may be given readonly access to the messages ^ wlU "x™** 

„,:*#.;« #k- r«M~i iv- .™ ' , - - TnZV of conventional servers. Thus, it would not be feasible to 

within the folder). The user may be given the ability to . J . . 

„. . tn - ' 'so store the entire access control matrix 300 on a single server, 

subscribe to the service. _ ... 4 . ... 

^ _ . Iv m , Further, even if the access control matrix 300 were divided 

User. The user can do whatever is ^ormaT for the ^ a(TOSS muitiplc servers, the time required to 

particular service, ^example, the user may be given ^ matrix 3* (to <tet ermi D e the rights 

toe ability to post BBS messages within public BBS of a user with tcs ^ t to ^ 4,3^) would ^ iQagm4Bd the 

folders, or may be given the ability to actively partict- „ usef wouM merefore experience significant time delays 

pate in public Chat conferences. when moving from object to object. 

Host. The user is given host-level or leadership-level to acc0 rdance with the present invention, the above- 
priviieges (where applicable) for the service. For described limitations are overcome by effectively compress- 
example, the Chat service may give the host user ing me acccss ^^1 matrix 300 both horizontally and 
moderator privileges. vertically, to thereby reduce the quantity of acccss rights 

Sysop. The user is given the access rights consistent with data that needs to be stored. Horizontal compression (the 

normal (entry-level) sysop- type activities for the reduction of the number of columns) is effectively achieved 

service, such as the ability to delete BBS messages, or by grouping together content objects which may be treating 

the ability to edit a certain subset of the properties of a the same for security purposes. Vertical compression (the 

node. 65 reduction of the number of rows) of the matrix 300 is 

Sysop Manager. The user is given various ownership-type effectively achieved by die formation of user groups. Each 

privileges with respect to the node. For example, the compression technique is described in detail below. The 



45 With reference to FIG. 3 A. in a network that has on the 
order of millions of subscribers and thousands of content 
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compression of the access control matrix 30# is "effective." With further reference to FIG. 4B. the content categories 

rather than actual, since the access control matrix 30# is not corresponding to tokens 1-4 are a basic set of groups which 

ordinarily generated in the uncompressed form of FIG. 3A. may be used with an initial implementation of the network 

The compression of the access control matrix 3#i advan- lfto. As the content of the network grows, these content 

tageously enables the information contained therein to be 5 categories may be subdivided into sub-categories, to thereby 

stored on each security server ISO (within each relational achieve a higher degree of access rights granularity with 

access rights database 152). respect to different types of content objects. 

5. Cornpnssion by Souping of Objects (FIGS. 4A and 4B) ^ content categories corresponding to tokens IK and 

In accordance with the present ^nUon, fee number of m m CJUUD ^ ics categories which may be 

columns of the access coMrol ^ 3W is by ]Q defiDe d to provide privacy over certain types of data. The 

effectively grouping together the content o^ects that can be * Corporation X Beta Test Data.- for 

treated the same for security purposes, and then storing only B 7 J^P « CL ZT^, Z*7Z a 

the access rights informatioTfor^ group (rather than «amr>le, rr^ contam all BBS otyects (e.g. folders and 

each content ob^ct). With reference to FIG. 4B. each object . messages) which pertain to the beta test of a software 

group is identifiable by a mnemonic name ("Internal product of Corporation X. Access to such a group could be 

Public" "Internal lg-and-older." etc.). but is represented by 15 limited to individuals who are participating in the beta test 

a unique. 32-bit value referred to herein as the "security P* 1 * certain employees of Corporation X. This would allow 

token** (or simply "token**). For example, die object group Corporation X to privately correspond with beta test 

with the name "Internet 18-and-oJder** has a security token participants, without other users being able to view such 

of 4<Lc. 0004H). The mnemonic names generally represent correspondence. The content category "Family and Friends 

different content categories that have been defined for secu- 20 for Brown Family** may similarly be formed to allow private 

rity purposes. To help to distinguish object groups from user correspondence between a small group of subscribers (c.g.. 

groups (which are discussed below), the term "content Brown family members plus designated friends), and may 

categories'* will be used herein to refer to the object groups. contain, for example. Chat and BBS objects which have 

The security tokens serve as content category identifiers. been designated for this purpose, Of course, many different 

With reference to FIG. 4A. which illustrates the horizon- ^ famiJy ^ fri^ content categories can be defined to 

tally compressed access control matrix 300 1 . each column of permit private correspondence between many different sub- 

the matrix corresponds to one content category, and is croups of users. 

represented by the content category's security token. M indkatcd above ^ 32^ security tokens are pref- 

^ f jf™^!^™^™*^ erably stored by the Directory Service as properties of nodes 

be significantly lower than the total number of content ^ to certain tokens that have been defined for 

objects, the number of columns will be significantly reduced 1 . " ^ . JT- T^rl 

oveTthe access control matrix 300 of FIG3A. controlling access to non^irccrory-Service entities). Whh 

With reference to FIG. 4B. each content category (Le^ reference to FIGS. 2 and 4B. for example, nodes 6, 7 and 8 

object group) contains the content objects which fall within the security token of 0002H stored as a 

a [redetermined security classification. For example, the property, indicating that the three cccresponding content 

category "Internet lS-and-older" contains all Internet 35 objects are classified as -Internal 18-and-older** data for 

objects which have been classified (typically by system security purposes. As described in the following sections, 

administrators) accordingly. In the preferred embodiment the storage of the security tokens as node properties permits 

each content object (or equivalently. each node of the the Directory Service to rapidly and efficiently determine the 

Directory Service structure) is assigned to exactly one rights of a user at a particular node. In other embodiments 

content category, and a content category can contain as few 40 of the invention, die security tokens may be stored elsewhere 

as one content object. within the system. For example, each on-line service could 

As described below, security tokens are also preferably store or cache the security tokens for its own content objects, 

defined for certain non-Directory Service entities, such as In the preferred implementation of the network, security 

distribution lists for sending electronic mail, and connec- tokens are defined by system administrators as needed, and 

tions to classes of services. This allows the GetAccoutRights 45 are entered as properties of nodes (typically only by users 

API and access rights database 152 to be used to control with at least sysop-level privileges with respect to such 

access to entities that do not correspond to respective nodes nodes) using the Sysop Tools client application. When, for 

of the Directory Service. These non-Directory-Service secu- example, a new service is created on the network, the new 

rity tokens are not stored as node properties, but rather are - service can either be assigned its own security token (to 

stored by the entities (such as the Mail servers 120 and so allow separate security for die area), or can use an existing 

Gateways 140) with which they are associated. security token, such as the security token of the new 

As a result of the grouping of the content objects, a user*s service's parent node, 

privilege level (or privilege levels) will be the same for all 6. Compression by Grouping of Users (FIGS. 5A and SB) 

content objects within a given content category. For In the preferred embodiment of the on-line services 

example, if a given user has the privilege level of "observer** 55 network 100. large numbers of users will typically have the 

with respect to one content object in the Internet 18-and- same or similar access rights with respect to many of the 

older content category, that user will also have the privilege content objects. Thus, the number of rows of the access 

level of observer with respect to all other content objects of control matrix 300* can be significantly reduced by assigning 

the Internet Public content category. users mat have like access rights to user groups, and by 

Although the categories listed in FIG. 4B are content 60 storing the access rights of the user groups in place of 

based, other bases for categorizing the data entities to which user-specific access rights. In the preferred implementation 

access is controlled are possible. For example, in embodi- of the network 100. this technique reduces the number of 

ments of the invention that involve the control of accesses to rows by several orders of magnitude, 

software resources, the data entities may be grouped accord- FIG. 5 A illustrates the access control matrix of FIG. 4A 

ing to resource types, with categories such as "user-level 65 following the assignment of users to user groups, and FIG. 

threads." "system-level threads.** "executable files.** and 5B illustrates a preferred basic set of user groups. Each user 

"semaphores.** group is identifiable by a mnemonic name ("everyone.** 
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"all sy sops," etc.). but is represented internally by a 16-bit plus the rights specified in the account-specific row for user 

j^oup ID. Each user group represents a group of users (Le.. A. When the rights of a given user to a given content 

user accounts). The following is a brief description of the category are specified in multiple rows of the compressed 

basic user groups listed in FIG. SB. access control matrix 300". the associated access rights 

Everyone. All user accounts. * values (XXXX) are logically ORed together to produce a 

AllSysops. All users that have sysop privileges with summation of the row-specific rights. By way of sample. 

res^cTto at least one content ca^ Members of su Pf os f T^^^^ 

^yZ tmmm c ..™ T^vic JLJ« ^.w;^ trx content category 1 (i.e„ the content category corresponding 

this group can use the Sysop Tools client application to ™» ' * - . . - ~*L \ . ~ ChTw 

edit me Directory Service structure (FIG. 2). although to token 1) by virtue of being in user groups 1 and 2. and t^at 

the spec^c^bilities of users to edit the stnicW 10 uscr , A ■« "^LST ^J*? (SUd ! " 

willllr^llvvaTv from user to user. privileges) with respect to content category 1 that are 

wui nonnauy vaiy specified in the account-specific row for user A. To generate 

SuperSysops. A small group of system ao^Di^rators that a ^ value for user A with respect to content 

have generally uiilimited accesses rights. Supersysops ^ L mc three 16-bit access rights values (group 1. 

can, for example, define new user groups and new 1S tok£Q 1} (&oup z token 1). and (user A. token 1) are 

security tokens. logically ORed together. Numerical examples of mis process 

Guest User accounts that are used for demonstrations and ^ provided below. 

marketing purposes. As indicated by the foregoing, the account-specific rows 

Registration/signup. Accounts that are limited to registra- are used to give certain users "special" access privileges 

Lion and signup privileges. 20 beyond the "general" or "group-based** access privileges 

18-and-older. Accounts which have access to 18-and- obtained by virtue of being in one or more user groups. For 

older-only type content objects. example* an account-specific row may be added to give a 

Other groups may include, for example "Company X Beta particular user sysop privileges with respect to a certain BBS 

Test Users." "Company Y Employees." etc. folder and its contents, or to give the user moderator 

Associated with each user group is a corresponding set of 25 privileges with respect to a particular Chat conference, 

access rights, which are specified by a respective group- Typically, the number of account-specific rows 5*4 of the 

specific row 502 of the access control matrix 300". The compressed access control matrix 300" will be very small in 

access rights for group 1 (Le. . the group "everyone." which comparison to comparison to the total number of users of the 

has a group ID of 1). for example, are represented by the network 100. For example, for a network having millions of 

access rights values in the first row of the matrix 300". The 30 users, the number of account-specific rows 504 will typi- 

total number of user groups (and thus the number of group- calfy be in the hundreds. 

specific rows 502) will typically be very small in compari- In the preferred implementation of the access rights 

son to the total number of users. For example, in a network database 152. which is described below, further compression 

with millions of users, the number of user groups may be as of the compressed access control matrix 300" is effectively 

few as several hundred. 35 achieved by storing only the non-zero entries (Le.. access 

Every user account (and thus every user) is assigned to at rights values not equal to 0000H) of the matrix, 

feast one. and possibly multiple user groups. When a user is 7. Access Rights Database (FIG. 6) 

a member of multiple user groups, the user has all of the FIG. 6 illustrates a preferred implementation of the access 

access rights associated with both such groups. For example. rights database 152. Generally, the access rights database 

if a user is a member of both the "everyone'* group and the 40 152 includes all of the information represented by the 

"allsysops** group, the user will have all of the access rights compressed access control matrix 300". phis a table 602 that 

associated with the everyone group plus all of the rights indicates the members (i.e.. users) of each user group. As 

associated with the all sysop group. indicated above, the access rights database 152 is preferably 

In the preferred embodiment user groups are defined by stored on each security server 150. In other embodiments, 
system administrators based on need. Membership within 45 the access rights database 152 may be implemented else- 
each group is controlled by updating a group-member table where within the network. For example, the access rights 
602 which is stored on the security servers 150. The group database 152 could be implerneated on one or more of the 
member-table 602 contains the user group IDs and corre- application servers 120 andYor Gateways 140. Also, although 
- sponding user account numbers for every user group that has the access rights database 152 is preferably implemented as 
been defined. Updates to the group- member table 602 can be 50 a relational database, other database arrangements are pos- 
made by system administrators using a database editing siblc. For example, a hierarchical database could be used- 
program. Updates to this table can also be made automati- In the preferred embodiment, the access rights database 
cally in response to certain user actions. For example, a 152 is generated and updated directly, without initially 
service which provides an on-line subscription feature may generating and/or compressing an access control matrix 300. 
be configured to automatically update the group-member 55 Stated differently, the above-described horizontal and verti- 
table 602 whenever a user subscribes to the service, to cal data compression techniques are inherent features of the 
thereby add the user to a corresponding user group. The preferred database implementation. It is contemplated, 
^oup-member table 602 is further described below under however, that these compression techniques can be used to 
the heading ACCESS RIGHTS DATABASE. transform an existing access rights database (such as a 

With reference to FIG. 5 A. in addition to the rows 502 that 60 database of an existing network) into a relational database of 

specify the access rights of the various user groups, the the general type shown in FIG. 6. 

compressed access control matrix 300" includes account- With reference to FIG. 6. the access rights database 152 
specific rows 504. Each account-specific row specifies rights includes three tables: a group-member table 602. a group- 
that are to be "added cwTto the group-based rights of the token table 604. and an account-token table 606. The group- 
corresponding user. For example, if user A (FIG. 5A) is a 65 member table 602 specifies the membership of each user 
member of user groups 1 and 2 only, the access rights of user group that has been defined, with each row of the table 602 
A will be the rights of group 1. plus the rights of group 2. specifying one user group and one user who is a member of 
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the group. User groups are specified in the table 602 by their 8. queries of Access Rights Database (FIGS. 7 and 8) 

16-bit user group IDs. and users (Le.. user accounts) are In the preferred embodiment, each security server 150 is 

specified by their 32-bit user account numbers. With refer- programmed to receive account-specific access rights que- 

ence to the example table entries shown in FIG. 6. user ries from the application servers 120 and Gateways 140 

group 1 includes at least users 1 and 2. and user group 2 s within the network, and to respond to each such query by 

includes at least users 2 and 27. returning all of the access rights data of the user specified in 

The group-token table 604 corresponds to the group- the query. The queries are in the form of remote procedure 

specific rows 502 (FIG. 5A) of the compressed access calls (RPCs) which specify the account number of a single 

control matrix 300". Each row of the group-token table 604 user, and are generated by the calling servers (Le.. the 

specifies one user group, a content category (specified by its to application servers 120 and Gateways 140) using a GetAc- 

32-bit security token) to which members of the user group countRights AFL Around robin approach is preferably used 

have access, and the access rights (in the form of privilege to assign specific queries to specific security servers 150. 

levels) the group's members have with respect to the objects To reduce the frequency of queries to security servers 150 

of the content category. By way of example, the first row of (and to avoid the delay associated with such queries), the 

the group-token table 604 indicates that members of group 15 GetAccountRights API implements a caching scheme 

1 have access rights of 0004H (specifying a privilege level wherein the user-specific access rights data returned by the 

of "user." as indicated by FIG. 3B) with respect to all objects security server 150 is stored within an access rights cache 

within content category 5. The account-token table 606 802 (FIGS. 8 and 9) of the calling server. The GetAccoun- 

corresponds to the account-specific rows 504 (FIG. 5A) of tRights API and associated caching scheme are described 

the compressed access control matrix 360". Each row of the 20 below. FIG. 7 illustrates the sequence of steps taken a 

account-token table 606 specifies one user (Le~ one user security server 150 each time a query is received for the 

account), a content category to which the user has access. access rights of some user (designated as "user X** in FIG. 

and the account-specific access rights the user has with 7). With reference to block 702. the group-member table 602 

respect to objects within that content category. By way of is initially accessed to identify all of the user groups of 

example, the first row of the account-token table 606 indi- 25 which the user is a member. If the subject of the query is user 

cates that user 1 has access rights of 0008H (indicating the 2 (FIG. 6). for example, this step would identify groups 1 

privilege level of "host") with respect to objects within and 2 (and any other groups in which user 2 is a member), 

content category 5. These account-specific access rights are With reference to block 704, once the user groups have 

in addition to the group-based rights of 0004H that user 1 been determined, the group-token table 604 is used to 

has with respect to content category 5. Thus, user 1 will be 30 identify the content categories (identified by their respective 

given both user-level (0004H) and host-level (0008H) security tokens) to which the user has access, and to obtain 

access capabilities with respect to all objects within content the access rights values corresponding to such content 

category 5. categories. If the user has multiple access rights values 

Updates to the tables 602. 604. 606 are preferably made corresponding to the same token (by virtue of being in 

by system administrators using a database editing program 35 multiple user groups), these access rights values are logi- 

which is part of the Sysop Tools client application. As will calfy ORed together to produce a single 16-bh access rights 

be appreciated by those skilled in the art any of a variety of value, as generally described above. Assuming for purposes 

conventional database editing packages may be used for this of example that the entries shown in FIG. 6 are the only table 

purpose. entries, this step would produce the following results. 

In addition to or in place of the account-token table 606. 40 respectively, for users 1. 2 and 27: 

an exclusion table (representatively shown by the account- USER 1: 

token table 606. which is identical in format) may optionally Token 5 rights=0004H 

be implemented to take away certain group-based rights of Token 9 rights=0001H 

users. The exclusion table has the same format as the USER 2: 

account-token table 606. but specifies the access rights mat 45 j c ^ cn \ Rights=0004H 

are to be subtracted from (or "masked off**) the user's _ . _ . t\™f!„ x ^ „v~*,* 

account with respect to the content category specified Tokei 5 nghts=(0004H) OR (0020H)=0024H 

therein. For example, an exclusion table row containing the Token 9 rights=0001H 

entries (account na=2), (token=5). (access rights value= User 27: 

0020H) would indicate that the group-based access rights of 50 Token 1 Rights=0004H 

0020H are to be masked off from the account of user 2. Token 5 rights=0020H 

leaving user 2 with access rights of only 0004H with respect The result of the step of block 704 is a group-based access 

to content category 5. (Without this exclusion table entry, the rights list which specifies the access rights (in the form of 

rights of user 2 with respect to content category 5 would be tokens and corresponding access rights values) the user has 

0024H. indicating "sysop" and "user" level privileges.) 55 by virtue of being a member of one or more user groups. 

The implementation of an exclusion table is useful for These access rights are referred to herein as the user's 

example, for taking away access rights of users who misuse "group-based" access rights. 

the on-line services. For example, if a particular user con- With reference to block 706. once the user's group-based 

sistently uses profanity in BBS messages, the exclusion list access rights have been obtained from the group-token table 

could be used to lower that user's BBS access capabilities to 60 604. the account-token table 606 is accessed to obtain any 

a read-only level. The handling of exclusions on an excep- additional rights that are to be added to the user's group- 

tion basis advantageously permits the benefits of compress- based rights. For user 1. for example, token 5 rights of 

ing the access rights matrix to be retained. 0008H and token 6 rights of 000 1H would be obtained. 

As will recognized by the foregoing, the inclusion of Since user 1 already has group-based rights of 0004H with 

either an account-token table or an exclusion table will 65 respect to token 5. the access rights values 0004H and 

advantageously allow access rights to be customized on a 000811 will eventually be ORed together to produce a single 

peruser basis. 16-bit value. As described below, this step of ORing the 
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group-based and account-based access rights values is rights of user X will respect to ail nodes of the Directory 

performed, if at alL by the calling server after the query Service structure. The Directory Service server 120 stores 

returns. the user's access rights list within a user-specific row of its 

Id embodiments of the access rights database 152 that access rights cache 802. As user X subsequently moves 

include an exclusion table, the exclusion table is then 5 through me Directory Service structure (FIG. 2) to view the 

accessed to obtain any access rigits that are to be taken away various content objects, the Directory Service server 126 

from the user's account. This step is similar to the step of checks the cache row corresponding to user X (provided that 

accessing the account-token table 606 (since the two tables the row has not been flushed from the cache) for the security 

are identical in format), except that any access rights values tokens of the various nodes of the Directory Service struc- 

read from the exclusion table are applied as masks for 10 cure. As described above, these security tokens arc prefer- 

masking off the group-based rights specified therein. The ably stored as node properties of the Directory Service 

step of masking off the user's rights can be performed either structure. 

before or after the query returns. Each check of the cache 802 is initiated by the Directory 

The result of the steps 704 and 706 is an access rights list Service by generating a GetAccountRigits call, specifying 

which contains all of the tokens and corresponding access 15 as parameters of the call the user's account number and a 

rights values for the user. For user 1. for example, the access token. The GetAccountRights API either returns the 16-bit 

rights list would have the following entries (assuming no access rights value of the user with respect to the token (Le.. 

other table entries exist): with respect to Che node which has the token stored as a 

property), or else returns a code indicating that the user does 

rrs, ooo4H\ <T9, oooiH), (TS, 0008H), <T&, ooowy 20 not have access with respect to the token. If no row exists in 

__ , . ^ _ * „ ^- . the cache 802 for the user, the GetAccountRights API 

Rich entry in this list * in the form of aj^-ba token Derates a ^ery to a security server 150 to create a cache 

(toignated by the letter ^) foUowed by the corresponding |U fee the user, and then checks the cache row for the 

16-bit access ngh* ^Tokens which do not appear in spedfied token. If a cache row is already present for the u ser. 

thus hst (such as Token 7) represent content categories to ^ n0 u ncccssary , ^ce the information stored in the 

which the user has no access rights, and correspond to uscr ^7cache row fully specifies the user's access rights with 

content objects which w01 notbe shown to the user bythe n to ^ no des of the Directory Service structure. 

Directory Service. As illustrated for token 5 in this example. ^pr©^ a specific example, suppose that a user double 

an access rights list may teivc two entries for the same token. mc ^fcr^te* (FE2) of the Directory 

since the account-specific access rights values are kept ^ (assuming mat ^ Directory Service has 

separate from the : grou^based values. already returned the properties of node 6). The Directory 

In other embodiments of the invention, the access nghte wffl d ^ ^ tokcns for 

values may be ornitted from the access rights fets. so that Qodes 7 ^ 8 stored as properties of these 

each user-specific access rights list consists! amply of a ^ ^ two GetAccountRights calls, one 

string of security tokens (t-C category identifiers) that 3J forDodc7ana - onc for node g. The GetAccountRights call 

identifies the content categories to which the user has access. foroodc7 ^ fCSult ma cf^krf the user's cache row (and 

Tnis may be desuable. for example. i» systems that do not ^ a ^ ^ fc ^ m) fa ^ tokcQ 

require the specification of access rights on a per-object (or cotrepoo<iing to node 7. and the GetAccountRights call for 

° n «^ I f r ^J^^fWf** 15 - u tii _ node 8 will result in a check of the user's cache row for the 

With reference to bkx±7(W once the full access rights list ^ token corresponding to node 8. Each GetAccountRights call 

for the user has been generated, the security server 150 sorts ^ ^^h either a 16-bit access rights value, or. if the 

the tokens in nurnencalry ascending order. For the user 1 ^ steals** foimd m me usef . s rig hts list, a 

access rights list shown above, this step may render the ^ Seating that the user does not have access to the 

following list DO de. If the user does not have access to the node, the 

(l*CX»4HXa*0Q08^ 45 directory Service does not show the node to the user, and the 

user is prevented from either seeing the node or accessing 

With reference to block 710. this list is then returned to the the corresponding content object continuing the above 

calling server. The calling server stores this user-specific example, if the user's access rights list (stored in the cache 

access rights list within its access rights cache 802. and 802) does not contain the security token for node 7. the 

searches this list for specific tokens to determine the access 50 GetAccountRights API will return a code indicating that the 

rights of the user with respect to specific content categories. user cannot access node 7. The Directory Service will 

As described below, the step of numerically sorting the respond to this code by not sending any node 7 properties to 

tokens facilitates cache searches by the calling server for the user's computer 102. so mat the node will not be 

specific tokens. displayed by the Explorer to the user. The user will thereby 

FIG. 8 illustrates the process by which a Directory Service 55 be prevented from accessing node 7. If. however, the token 

server 120 (Le.. a DirSrv or BBS server) queries a security for node 7 is found in the user's cache row. the GetAccoun- 

server ISO to determine the access rights of a user, user X. tRights API will read the corresponding 16-bit access rights 

and illustrates the caching scheme used by the Directory value from the cache 802. and will return this value to the 

Service server 120 to cache access rights data. The query is Directory Service. The Directory Service will then return the 

in the form of an RFC call to the security server 150. 60 properties of node 7 mat were requested by the Explorer (as 

specifying the account ID of the user. This query will parameters of a GetChildren calL as described above), and 

typically be generated when user X Initially opens the the Explorer will display node 7 to the user. The Directory 

Explorer window. Service and/or Explorer may additionally perform certain 

The security server 150 responds to the query by access- actions based upon which of the privilege level bits arc set 

ing its locally-stored copy of the access rights database 152. 65 in the 16-bit access rights value. For example, if the "sysop 

and by returning the entire numerically-ordered access rights manager" privilege level bit (bit 4 in FIG. 3B) is set. the 

list for user X. This access rights list specifies the access Directory Service will inform the Explorer (upon request 
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from the Explorer) that the user has sysop manager privi- rights list upon the occurrence of certain events, such as 

leges at node 7. and the Explorer wHl display a Sysop Tools upon the generation of an exclusion table entry for the user, 

edit menu that allows the user to edit the properties of node 9. Access Rights Cache (FIG. 9) 

7. The GetAccountRights API is described in further detail FIG. 9 illustrates a preferred implementation of the access 

below. 5 rights cache 802. as implemented on the application servers 

During a typical logon session, the Directory Service will 120 which place GetAccountRights calls. The cache 802 

request the user's access rights to hundreds of different contains 5000 rows, and can thus hold the access rights lists 

content objects, and will thus generate hundreds of GetAc- of 5000 different users. Because the number of user-specific 

countRigbts calls. As described below, only the first GetAc- service sessions handled by a given application server 120 

countRights call for the user will result in a query to a to normally will not exceed 5000. the cache 802 is large 

security server ISO. and all subsequent GetAccountRights enough to hold all of the access rights information of all 

calls will normally result in a check of the user's row in the users who are being serviced by the application server 120. 

cache 802 without a new database query. Because accesses For the Gateways 140. an access rights cache of 1000 rows 

to the local access rights cache 802 are typically much faster is used, since each Gateway can handle a maximum of 1000 

than queries of the network-wide access rights database 152. 15 simultaneous user connections. In other embodiments, the 

use of the access rights cache 802 significantly increases the number of cache rows per machine 120. 140 may be 

performance of the GetAccountRights APT. and thereby allocated dynamically, with the maximum number of cache 

allows the user to rapidly move from node to node of the rows per machine depending upon the amount of memory 

Directory Service structure. The storage of the security available on each respective machine, 

tokens as Directory Service node properties provides for a 20 Each row of the cache 802 contains 500 slots. Each slot 

high degree of performance of the Directory Service, which stores a 32-bit security token and the corresponding 16-bit 

is the service which typically generates the most GetAc- access rights value. Each user-specific row can thus store an 

countsRights calls. access rights list having a length of up to 500 tokens, which 

Although the description thus far has focussed on the use is sufficient to fully specify the access rights of the user with 

of the GetAccountRights API by the Directory Service, as 25 respect to all nodes of the Directory Service Tree. (Because 

noted above, other services and machines on the network many nodes will typically have the same security token, the 

100 can also preferably use the API to determine the rights number of nodes to which the user has access may greatly 

of users. For example. Chat servers 120 may generate exceed 500.) 

GetAccountRights calls as a user moves from Chat object to The cache 802 is preferably implemented in the dynamic 

Chat object within the Chat service. The process by which 30 RAM of each machine 120. 140 that places GetAccoun- 

a non-Directory-Service machine determines the access tRights calls. As described above, multiple machines 120. 

rights of a user to an object is generally the same as shown 140 may simultaneously cache the access rights data of the 

in FIG. 8 and described above. same user. For example, the user's access rights list may 

Further, although the foregoing description has focussed simultaneously be stored in the respective caches 802 of a 
on the security tokens that are stored as properties of 35 DirSrv server 120 to which the user is connected, a Chat 
Directory Service nodes, as indicated above, security tokens server to which the user is connected, and the Gateway 140 
may also be stored by other types of entities, so that security that is handling the user logon session, 
can be provided via the GetAccountRights API without In the p re fe rred embodiment only a single access rights 
creating a corresponding Directory Service node. In the cache 802 is implemented oo any given machine 120. 140 at 
preferred embodiment, for example, the Mail servers store 40 a time, even if the machine is allocated to multiple service 
security tokens in association with mail distribution lists. groups. Thus, for example, if two different service applica- 
and use these tokens (and the GetAccountRights API) to tions (such as the Chat and DirSrv applications) are con- 
determine whether individual users are authorized send mail currently running on the same application server 120 and 
via such distribution lists. Also, the Gateways 140 store both generate GetAccountRights calls, these two service 
security tokens which correspond to various classes of 45 applications will share the same access rights cache 802. 
services, including a class of generally-available services, a With further reference to FIG. 8. each machine which 
class of public services that are made available to the general implements an access rights cache 802 contains cache 
public (e.g.. non-subscribers), and a class of toll free ser- flushing structures 806 which monitor certain activities to 
vices. Whenever a user requests to connect to a service, the - determine when a user-specific access rights list may be 
corresponding Gateway 140 calls GetAccountRights (using 50 overwritten in the cache 802. The first such structure is a 
the token of the corresponding class), and opens a pipe to the least-recentJy-used (LRU) monitor 808 which monitors 
service only if the user is authorized to access the service. accesses to the cache rows to keep track of which row was 

In the course of a typical logon session, a user may least recently accessed. The LRU monitor 808 specifies, 

connect to many different application servers 120 and when the cache 802 is full (Le., all rows occupied), the cache 

services, and may access many different content objects 55 row that is to be overwritten when a new access rights list 

within each service. Thus, the access rights list of the user is returned by a security server 150. Least-recently-used 

will typically be cached on multiple different machines 120. algorithms are well known in the art 

140 within the network at the same time. The second cache flushing structure is a pipe monitor 810 

In the preferred embodiment if an update is made to a which monitors the number of pipes that each user has to the 

user's access rights (via an update to the relational database 60 application of the application server 120 (or Gateway 140) 

152) while the user's access rigjits list is cached on a on which the cache 802 resides. Whenever the pipe monitor 

machine 120. 140. the cached access rights list will continue 810 detects that the number of pipes for a given user has 

to be used, even though it is no longer up-to-date. Thus, an gone to zero (indicating that the user has disconnected from 

update to the user's access rights will not take effect until the the server 120). the user's access rights list is deleted from 

next time the user's access rights list is read from the 65 the cache 802. 

database 152. In other embodiments, a mechanism may be When a cache row is created for a user, the slots of the 

provided for invalidating all cached copies of a user's access user's cache row are filled in sequential order (from the 
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lowest slot Dumber to the highest slot number) as the 
numerically-ordered access rights list is returned by the 
security server 15t. As illustrated in FIG. 9 for the example 
access rights list of user L the tokens (and corresponding 
access rights values) are written to the cache 802 in numeri- 
cally ascending order. As illustrated by slots 1 and 2 for user 
L duplicate tokens may be present in the list indicating that 
the user has been given additional rights via the account 
token table 606. These duplicate tokens will always fall in 
adjacent cache slots. 

To obtain the access rights of the user with respect to a 
given content category, the GetAccountRights API performs 
a binary search of user's cache row for the token specified 
as a parameter of the API. If the token is found, the 
corresponding access rights value (stored in the same cache 
slot as the token) is read from the cache 802. The GetAc- 
countRights API also checks the adjacent slot or slots for 
duplicate tokens. If a duplicate token is found, the corre- 
sponding access rights value is read and logically ORed with 
the first access rights value to generate a single 16-bit access 
rights value. By way of example, the call GetAccountRights 
(user 1. token 5) would cause the access rights values 0004H 
and 0008H to be read from the first two slots of the cache 
row for user 1. and these two values would be ORed to 
produce OOOCH. 

Advantageously, the GetAccountRights API is structured 
to begin the binary search even if the cache row is currently 
being filled, allowing the API to return before the entire 
access rights list has been returned by the security server 
150. Using the access rights list for user I (FIG. 9) as an 
example, if the search is for token 6. and the cache row is 
currently being filled, it is possible (and likely) that token 6 
will be found before the cache row for user 1 is complete. 
This feature of the GetAccountRights API increases perfor- 
mance on GetAccountRights calls which require a query of 
the access rights database 152. To take full advantage of this 
feature, care is taken by system administrators to assign the 
lowest numbered tokens to the most commonly accessed 
object groups (since the lowest numbered tokens are the first 
to be returned by the security server 150. and the first to be 
written to the cache). This feature of the GetAccountRights 
API is further described below. 
10. GetAccountRights Method (FIG. 10) 

FIG. 10 illustrates the sequence of steps corresponding to 
the GetAccountRights APL These steps are performed by 
the application server 120 (or Gateway 140) that generates 
the GetAccountRights call. As described above, the GetAc- 
countRights API is called whenever it becomes necessary to 
determine the rights of a user with respect to a content 
object The parameters of the GetAccountRights API are the 
32-bit account number of the user (designated as "user X" in 
FIG. 10) and the 32-bit token (designated a "token Y**) of the 
node. 

With reference to decisional block 1002. the calling server 
120 initially checks its access rights cache 802 to determine 
whether a cache row exists for user X. This is preferably 
accomplished using a conventional hash algorithm to search 
for the user's account number. 

With reference to blocks 1004-1008. if no cache row 
exists for user X, the server determines whether a query 
thread has been started to obtain the access rights of user X 
from the access rights database 152. If a query thread has 
been started, the API sleeps for an appropriate interval (to 
allow a cache row to be created for user X). and then 
rechecks the cache 802. If no query thread has been started, 
the AM starts a query thread before sleeping and re checking 
the cache 802. The use of a separate query thread for 
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creating and filling the user's cache row advantageously 
facilitates the concurrent filling of a cache row and searching 
of the cache row. 
With reference to block 1012. once a cache row has been 

5 created for user X (which may or may not be complete), a 
binary search is initiated for token Y. With reference to 
blocks 1014-1018. as the binary search progresses, the API 
tests the results of the search and takes one of three actions. 
If the token is not found but the cache row is not yet 
complete (indicating that the access rights list is still being 
returned), the API sleeps and then retests the search results. 
If the token is not found and the user's cache row is 
complete, the API returns a code indicating that the user 
does not have any access rights with respect to the token. 
With reference to blocks 1020-1022. if token Y is found. 

15 the corresponding 16-bit access rights value is read from the 
cache. The API then checks the adjacent slot or slots in the 
cache for token Y If a duplicate of token Y is found 
(indicating that user X has been given additional access 
rights with respect to token Y via the account-token table 

20 606). the corresponding access rights value is read from the 
cache and logically ORed with the first access rights value. 
Hie result of the logical OR operation is then returned. 
11. Assignment of Tokens and Formation of User Groups 
In the preferred embodiment of the network 100. new 

25 security tokens are assigned by system administrators (to 
create new content categories) as it becomes necessary or 
desirable to provide separate security with respect to new or 
existing service areas. In accordance with one preferred 
mode of operation, security tokens are assigned so as to 

30 create service areas that are managed or "owned" by differ- 
ent individuals. The responsibility of monitoring and/or 
otherwise managing the content of the network is thereby be 
distributed among many (e.g.. 500) different users, including 
system administrators, subscribers, and third party content 

35 providers. 

To provide a specific example of how ownership may be 
assigned to service areas in accordance with the present 
invention, suppose that a system administrator wants to 
create a new service area, such as a bulletin board on a 

40 particular topic, and wishes to designate a particular sub- 
scriber as the owner of the new service area. (In the preferred 
embodiment of the network 100. subscribers can request the 
creation of certain types of service areas, and can volunteer 
to be owners of such areas.) To generate the new BBS 

45 service area, the system administrator creates a BBS folder 
node (preferably using the Sysop Tools client application) in 
the Directory Service tree. To provide separate security for 
this new service area, the system administrator assigns a 
unique security token to the folder node, and enters this 

50 security token as a property of the folder node. (BBS 
messages subsequently created under the new BBS folder 
then inherit this security token, and become part of the same 
content category.) To give the user ownership-type privi- 
leges to the new service area, the system administrator then 

55 generates a user-specific row in the account-token table 606. 
specifying (1) the user's account number. (2) the newly- 
created security token, and (3) an access rights value that has 
the "sysop manager 1 * bit (bit 4 in FIG- 3B) set. Finally, the 
system administrator adds one or more rows to the group 

60 token-table 604. specifying in each such row: (1) the group 
ID of a user group which will be given access to the new 
service area. (2) the newly-created security token for the 
area, and (3) an access rights value that specifies the 
privilege level/s members of the group are to have with 

65 respect to the new service area. For example a row could be 
created to give members of group 1 (the group "everyone") 
user-level access to the new area. 
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la accordance with another preferred mode of operation, 
content categories and associated user groups are formed so 
as to create many different "private" service areas (such as 
the "family and friends" type service areas described above) 
that are accessible to different subgroups of users. To pro- 
vide a specific example, suppose that a system administrator 
wants to create a Chat room to allow members of a certain 
organization to carry on an interactive conversation. To 
create such a Chat room, the system administrator initially 
creates a Chat room node, specifying a unique security token 
for the Chat room, The system administrator then updates 
the group-member table 602 so as to create a new group that 
consists of the accounts of the members of the organization. 
(If the group is small, the system administrator may forego 
creating a new user group, and may alternatively generate 
one user-specific row in the account-token table 606 for each 
member of the organization.) Finally, the system adminis- 
trator adds a row to the group-token table 604. specifying ( 1) 
the group ID of the newly-created user group. (2) the 
security token of the Chat room, and (3) an appropriate 
access rights value. 

As will be recognized from the foregoing, content cat- 
egories and user groups may be formed by system admin- 
istrators to achieve any of a variety of different security- 
related objectives. These objectives will depend generally 
upon the nature of the particular network in which the 
present invention is employed, and will depend upon the 
type or types of data entities to which access is being 
controlled. 

As will be apparent to those skilled in the art. the general 
criteria used by system administrators for deciding when to 
create new user groups and when to assign new security 
tokens will ultimately affect the quantity of data stored 
within the access rights database 152. In the network 100 
described herein, these decisions may advantageously be 
made as folder nodes are added to the Directory Service 
structure. The decision making process may be assisted or 
the decision may be made by a computer software system 
which monitors the contents of the access rights database 
152. and which recommends modifications that can be made 
to the existing user groups and content categories in order to 
reduce the quantity of data stored within the database 152. 
1Z Other Embodiments 

As described above, the preferred embodiment uses 
Directory Service nodes as the basic content unit with which 
different security levels may be associated. Thus, in order to 
provide security for a content object a corresponding node 
(with a corresponding security token stored as a property) 
must be created in the Directory Service structure. As will be 
readily apparent to those skilled in the art however, various 
alternatives to the node-based approach are possible. For 
example, the security tokens could be stored or cached with 
the content objects, or could be stored within tables main- 
tained by the various services (such as Chat or Mediaview). 
(Accordingly, it will further be recognized that the present 
invention does not require the use of a directory structure). 
Hybrid approaches are also possible, in which the security 
tokens for some content objects (such as folder-type objects) 
are stored within a directory structure, while the security 
tokens for other content objects are stored elsewhere within 
the system. 

It will also be appreciated that although the preferred 
embodiment described herein is directed to the security of 
user-accessible content objects in an on-line services 
network, other embodiments may be directed to the security 
of entirely different types objects and data entities. For 
example, the invention may readily be adapted to control 
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user accesses to files in a file system, or to control accesses 
by software processes to system resources. 

In view of these variations and other variations which 
may be apparent to those skilled in the art the scope of the 
5 present invention is intended to be defined onfy by reference 
to the appended claims. 

What is claimed is: 

1. A method for controlling user access to a plurality of 
data entities in a computer network, said plurality of data 

10 entities stored on a plurality of application servers, said 
method comprising the steps of: 

sending an access rights query from an application server 
to a security server, said access rights query specifying 
a user of the network; 
15 at said security server, accessing a relational database in 
response to said access rights query to obtain an access 
rights list for said user, said access rights list specifying 
access rights of said user with respect to said plurality 
of data entities; 
20 sending said access rights list from said security server to 
said application server; 
at said application server, storing said access rights list in 

an access rights cache; and 
accessing said cache to determine the access rights of said 
25 user with respect to a specific data entity of said 
plurality of data entities. 

2. The method according to claim 1. wherein said access 
rights list comprises a plurality of category identifiers, each 
of said category identifiers specifying a data entity category. 

30 3. The method according to claim 2. wherein said access 
rights list further comprises a plurality of access rights 
values, each of said access rights values corresponding to a 
respective one of said category identifiers and specifying 
access rights of said user with respect to data entities that fall 

35 within a respective data entity category. 

4. The method according to claim 2. further comprising 
the step of determining a data entity category in which said 
specific data entity falls. 

5. The method according to daim 4. wherein said step of 
determining a data entity category comprises accessing a 

40 directory structure which is stored on at least one of said 
plurality of application servers, said directory structure 
representing an arrangement of said plurality of data entities. 

6. The method according to daim 4. wherein said step of 
determining a data entity category comprises reading a 

45 category identifier stored with said specific data entity. 

7. The method according to daim 4. wherein said step of 
determining a data entity category comprises reading a 
category identifier mat is stored on an application server in 

_ association with said. specific data entity. 

so 8. Hie method according to claim 2 wherein said step of 
accessing said cache comprises searching said cache for a 
specific category identifier, said specific category identifier 
representing a data entity category in which said specific 
data entity falls. 

55 9. The method according to daim 2, wherein said step of 
storing said access rights list in said cache comprises storing 
said category identifiers in a numerical order within said 
cache to thereby facilitate searches of said cache. 

10. The method according to claim 1. wherein said access 
rights list comprises a plurality of access rights values, said 

60 access rights values specifying generic privilege levels of 
said user. 

11. Hie method according to claim 10. wherein said step 
of accessing said cache comprises the steps of reading an 
access rights value from said cache, and translating said 

65 access rights value into a set of specific access capabilities. 

12. The method according to daim 11, wherein said step 
of translating is performed by a service application running 
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on said application server, said service application being a member comprises identifying a plurality of user groups of 

associated with said specific data entity. which said user is a member. 

13. The method according to claim 1. wherein said step of 2& The method according to claim 21. wherein each user 

accessing said relational database comprises identifying at group of said predefined set of user groups corresponds to a 

least one user group in which said user is a member. 5 respective set of user access rights with respect to said 

14 The method according to claim 13. wherein said step plurality of data entities, 

of arreting said relational database further comprises iden- 29. The method according to claim 21. wherein each data 

tifying a plurality of data entity groups to which said user entity category of said predefined set of data entity catego- 

has access rights by virtue of being a member of said at least ries contains a respective subgroup of said plurality of data 

one user group. entities. 

15. The method according to claim L wherein said step of 3#. The method according to claim 21. wherein each data 
storing said access rights list in said cache and said step of entity of said plurality of data entities falls within exactly 
accessing said cache to determine the access rights of said one data entity category of said predefined set of data entity 
user are performed concurrently. categories. 

16. The method according to claim 1. wherein said 31. The method according to claim 21. further conrprising 
plurality of data entities represents the content of an on-line 15 the steps of: 

services network. generating a list of category identifiers that identifies said 

17. The method according to claim 1. wherein at least one a t least one data entity category to which said user has 
of said plurality of data entities is a system resource. access; and 

18. The method according to claim 1. further comprising transmitting said list across a computer network to at least 
the step of forwarding said access rights list from said 20 Qnc scr ^ 

applicaaonseryer to a different application server when said 32. The method according to claim 31. further comprising 

user connects to said different application server. mtmmi - ^ . . n „ fc „ t% ™™„ ~t co ;h1, t^Z 

19. The method according toZim 1. further comprising J n V^ 8 "* " ' C * dle ""^ 

the step of. if said user is not authorized to access said 33. The method according to claim 31. further comprising 

specific data cntuy . P«v«ttoj J*A user from seeing a 23 rf£Eg ^ S respective cache memoriesof 

representation of said specific data entity. a .^j^ ^ 5^0-^ 

2^ method according to claim 19. wherein said step £™ niethod according to claim 21. wherein said 

of preventing comprises omitting said representation from a ^untoy of data entities represents a content of an on-line 

reconstructed directory structure mat is shown to said user. ^ 

2LAmethcdofdet^ 30 35. The method according to claim 21. wherein said 

a computer system with respect to ap urahty of data entities rf ^ CQtitics files of a file system, 

of the cxmrputer system, comrmsing the steps of: 36, The method according to claim 21. wherein said 

identifying at least one user group of which said user is a plurality of data entities comprises system resources to 

member, said at least one user &oup being part of a which access is controlled by an operating system, 

predefined set of user groups; and 35 37. In a computer network in which different users have 

identifying at least one data entity category to which said different access rights with respect to different data entities, 

user has access by virtue of being a member of said at a method of efficiently specifying the access rights of users, 

least one user group, said at least one data entity comprising the steps of: 

category being part of a predefined set of data entity assigning each of a plurality of data entities to one of a 

categories. 40 plurality of categorical groups of data entities, each of 

22. The method according to claim 2L wherein said steps said categorical groups containing data entities for 
of identifying at least one user group and identifying at least which user access rights may be specified collectively; 
one data entity category each comprise accessing a relational and 

database stored on a server of a computer network. assigning each of a plurality of users to at least one of a 

23. The method according to claim 21. further comprising ^ plurality of user groups, each of said user groups 
the step of identifying at least one data entity that falls within having a corresponding set of access rights associated 
said at least one data entity category. therewith with respect to said plurality of categorical 

24. The method according to claim 21. further comprising groups. 

the steps of: 3& The method according to daim 37. wherein said step 

determining a specific data entity category in which a ^ of assigning each of said plurality of data entities to one of 

specific data entity falls; and said plurality of categorical groups comprises storing a 

determining whether said at least one data entity category respective categorical group identifier in association with 

to which said user has access includes said specific data each of said plurality of data entities. 

entity category, to thereby detenmne whether said user 39. The method according to daim 38. wherein said step 

has access to said specific data entity. 55 of storing comprises storing a categorical group identifier 

25. The method according to daim 21. further comprising within a data entity directory structure. 

the step of reading an access rights value that specifies The method according to daim 37. wherrin said step 

access rights of said user with respect to all data entities that of assigning each of said plurality of users to at least one of 

fall within a data entity category of said at least one data said plurality of user groups comprises assigning at least one 

entity category. - ^ sa jd users to multiple of said user groups. 

26. The method acrrording to claim 2h further comprising 60 41. The method according to claim 37. wherein each of 
the step of identifying at least one additional data entity data entities is a content object that represents content 
category to which said user has access, said at least one 00-line services network. 

additional data entity category being in addition to data 42. A system for providing user access to data entities in 

entity categories to which said user has access by virtue of » computer network, comprising: 

being a member of user group. & at least one application server that stores a plurality of 

27. The method according to claim 21. wherein said step data entities, said data entities accessible by a plurality 
of identifying at least one user group of which said user is of users through a plurality of application programs. 
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different of said users having different levels of access 
with respect to at least some of said data entities; 

a database which stores access rights values mat specify 
access rights of said users with respect to said data 
entities; and 5 

an access rights cache on said at least one application 
server, said access rights cache storing access rights 
lists, said access rights lists obtained from said database 
in response to requests from said at least one applica- 
tion server, each of said access rights lists comprising 10 
a plurality of said access rights values and specifying 
access rights for a respective one of said plurality of 
users. 

43. The system according to daim 42. wherein said access 
rights values are stored in said database in association with 15 
category identifiers that identify categories of said data 
entities. 

44. The system according to daira 43. wherein each of 
said lists further comprises a plurality of said category 
identifiers. 20 

45. The system according to claim 43. wherein said 
database is implemented on a separate server from said at 
least one application server. 

46. The system according to claim 45. wherein said at 
least one application server stores at least a subgroup of said w 
category identifiers. 

47. The system according to claim 43. wherein said access 
rights values are stored in said database in further associa- 
tion with group identifiers that identify groups of said users. 

48. The system according to claim 42. wherein said at 
least one application server runs a program module that 
generates a query of said database when a user connects to 
said at least one application server, said query causing an 
access rights list for said user to be obtained from said 
database and written to said access rights cache. 

49. The system according to claim 4&» wherein said 35 
program module deletes said access rights list from said 
cache when said user disconnects from said at least one 
application server. 

$$. The system according to claim 42. wherein said access 
rights cache specifies access rights for a variable subset of 40 
said plurality of users. 

5L The system according to claim 42, wherein each of 
said access rights lists specifies user access rights with 
respect to all of said data entities. 

52. The system according to claim 42. wherein said at 45 
least one application server comprises an application server 
that runs a directory service application program, said direc- 
tory service application program providing a directory of 
said data entities to said users. 

53. The system according to daim 42. wherein said access 
rights values contain privilege level bits which specify 
general privilege levels, said general privilege levels con- 
verted into specific access capabilities by said application 
programs, different application programs converting like 
privilege levels into different access capabilities. 

54. An access rights list stored on a storage medium of a 55 
computer, said access list specifying the access rights of a 
user of a network with respect to a plurality of data entities 

of said network, said plurality of data entities subdivided 
into multiple categorical groups of data entities, said access 
rights list comprising: 60 
a plurality of group identifiers, each of said group iden- 
tifiers specifying one of said multiple categorical 
groups, said plurality of group identifiers specifying a 
subset of said multiple categorical groups to which said 
user has access rights; and 65 
a plurality of access rights values, each of said access 
rights values specifying access rights with respect to 
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data entities which fall within a respective one of said 
categorical groups of said subset 

55. The access rights list according to claim 54. wherein 
said group identifiers are arranged in a numerical order to 
facilitate searches for individual group identifiers. 

56. The access rights list according to daim 54. wherein 
said plurality of data entities represents content of an on-line 
services network. 

57. The access rights list according to claim 54. stored 
within an access rights cache of a server. 

5& The access rights list according to claim 54. stored 
within an access rights cache of a gateway computer. 

59. A relational database for staring access rights data 
which specifies access rights of users with respect to a 
plurality of data entities of a computer network, said plu- 
rality of data entities subdivided into a plurality of 
categories, said database comprising: 

a first table mat maps users to user groups, at least one of 
said users being a member of multiple of said user 
groups; 

a second table which contains, for each of said user 
groups, a group-based access rights list that specifies 
group-based access rights of members of a respective 
user group, said &oup-based access rights list stored in 
association with a plurality of category identifiers that 
identify said categories of data entities; and 

a third table which contains, for a least one of said users, 
a user-specific access rights list that specifies special 
rights for a respective user, said user-specific access 
rights list stored in assodation with said plurality of 
category identifiers. 

60. The relational database according to claim 59. 
wherein said spedal rights are additional rights mat are 
added to said group-based rights of said respective user. 

61. The relational database according to claim 59. 
wherein said special rights are exclusion rights that are 
subtracted from said group-based rights said respective user. 

62. The relational database according to daim 59. 
wherein said data entities are content objects of an on-line 
services network. 

63. In a computer network in which different users have 
different access rights with respect to different data entities, 
a method of specifying the access rights of a user with 
respect to a plurality of data entities, comprising the steps of: 

assigning a category identifier to said plurality of data 
entities; 

storing said category identifier with or in association with 
each data entity of said plurality of data entities; and 

storing an access rights value in association with said 
category identifier and in further assodation with an 
account number of said user, said access rights value 
specifying said access rights of said user with respect to 
said plurality of data entities. 

64. Hie method according to claim 63. wherein said 
access rights value comprises a plurality of privilege levd 
bits, each of said privilege levd bits corresponding to a 
respective privilege levd which may be assigned to said 
user. 

65. The method according to claim 63. wherein said 
access rights value specifies a sysop privilege level of said 
user with respect to said plurality of data entities. 

66. The method according to daim 63. wherein said step 
of storing said category identifier comprises storing said 
category identifier in assodation with at least one node of a 
directory structure, said directory structure providing a 
directory to at least said plurality of data entities. 
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